Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A question.


  • Please log in to reply
10 replies to this topic

#1 krdavy

krdavy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 23 April 2010 - 09:20 AM

Minutes ago, I got a pop up saying my McAfee security had a problem. Unthinking, I hit OK. It started to open an Windows IExplorer window. I realized that was a dumb thing to do, so shut it as it was loading. Next ran Malawarebyte which showed two infected registry data items (both related to disabling firewall and virusscan). Both were removed. I also ran a quick scan with Dr.Cureit, which reported nothing. Firefox appears to be running normally and no other symptoms appear.


Should I take further steps? Thanks.

This is an old Dell machine:
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name OFFICE-8BC33E3F
System Manufacturer Dell Computer Corporation
System Model Dimension XPS Gen 2
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2992 Mhz
BIOS Version/Date Dell Computer Corporation A06, 9/27/2004
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name OFFICE-8BC33E3F\kent
Time Zone Pacific Daylight Time
Total Physical Memory 1,024.00 MB
Available Physical Memory 255.86 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 2.41 GB
Page File C:\pagefile.sys

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:43 AM

Posted 23 April 2010 - 09:34 AM

Hello did you update before you ran the Malwarebytes scan?

I would still run these.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 23 April 2010 - 10:18 AM

I'm not sure about the update on the Malawarebyte. I know that I did on the Dr.Cureit. I'll have to wait until this evening to do the next step as work call. Thanks for the help. K

#4 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 23 April 2010 - 10:21 AM

FYI ... I just checked in the Malawarebyte update section of the program ... I did update before running.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:43 AM

Posted 23 April 2010 - 10:47 AM

OK cool,will look for SAS log later.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 April 2010 - 11:23 AM

The machine appears to be clean. I have followed your instructions and here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2010 at 09:10 AM

Application Version : 4.35.1002

Core Rules Database Version : 4846
Trace Rules Database Version: 2658

Scan type : Complete Scan
Total Scan Time : 01:16:39

Memory items scanned : 267
Memory threats detected : 0
Registry items scanned : 5110
Registry threats detected : 0
File items scanned : 41193
File threats detected : 0


A couple of questions, though:
-- I assume something could still be lurking deep inside the OS, true?
-- Should SAS scans always be run from a Safe boot? Why did you have me run it from a Safe boot this time?
-- Do backdoor trojans allow a hacker to peruse a hard drive and take things (and is that common ... since I'm not the defense department or rich) or do they typically watch for certain kinds of activity (e.g. logging into bank or stock accounts)?
-- I routinely run McAfee security including firewall and virus tools. On one of my machines, I also run SpyBot Search and Destroy. It appears that this machine will now run SAS, too. Are there other recommended tools that should be run continuously?

Finally, thank you for your help. This is the second time I have been helped by one of you on this forum and I am very grateful.

K

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:43 AM

Posted 24 April 2010 - 08:41 PM

couple of questions, though:
-- I assume something could still be lurking deep inside the OS, true?
Possibly and we can run an rootkit scan.

-- Should SAS scans always be run from a Safe boot? Why did you have me run it from a Safe boot this time?
Preferably with SAS as it is stronger that way,just as MBAM is stronger in normal.

-- Do backdoor trojans allow a hacker to peruse a hard drive and take things (and is that common ... since I'm not the defense department or rich) or do they typically watch for certain kinds of activity (e.g. logging into bank or stock accounts)?
Most of these are after passwords and financial info,eg,credit card #'s bank account etc..

Typical back door capabilities may allow a remote attacker to:

Collect information (system and personal) from the computer and any storage device attached to it
Terminate tasks and processes
Run tasks and processes
Download additional files
Upload files and other content
Report on status
Open remote command line shells
Perform denial of service attacks on other computers
Change computer settings
Shut down or restart the computer

http://www.symantec.com/security_response/...-062614-1754-99

-- I routinely run McAfee security including firewall and virus tools. On one of my machines, I also run SpyBot Search and Destroy. It appears that this machine will now run SAS, too. Are there other recommended tools that should be run continuously?

My persoan;a preference is MBAM,SAS and Spywareblaster with my Antivirus. I do not care for SpyBot any longer. I feel their detection rate has faltered.

Concsider Spywareblaster - prevents spyware from being installed on your PC.


Rootkit scan...
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by boopme, 24 April 2010 - 08:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 April 2010 - 11:37 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 21:35:16
Windows 5.1.2600 Service Pack 3
Running: kpn06322.exe; Driver: C:\DOCUME~1\kent\LOCALS~1\Temp\fwkdqfow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2D45320]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF734DCA2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF734DD39]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF734DC78]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF734DC8C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF734DD4D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF734DD79]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF734DDE7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF734DDD1]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF734DDFD]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF734DCE2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF734DD25]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF734DC14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF734DC28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF734DCB6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF734DE51]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF734DDBB]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF734DDA5]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF734DD63]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF734DE3D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF734DE29]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF734DC64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF734DC50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF734DD8F]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF734DD11]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF734DE13]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF734DCF8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF734DCCC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[504] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F57
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA004C
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA003B
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F0E
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F1F
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EE2
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA007B
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0ED1
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F3C
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0EFD
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F81
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920F9C
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F6D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60F94
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F600B5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60098
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F48
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F600E1
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F2D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60040
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F6007D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600D0
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50F9E
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40058
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F4003D
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40018
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\services.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00073
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00062
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F7E
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F37
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F48
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F0B
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F000A4
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00EFA
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F59
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F26
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0058
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0047
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0036
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30027
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9C
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3000C
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FB7
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FD2
.text C:\WINDOWS\system32\lsass.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA006C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA005B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0F9E
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F3F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F5C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA00AC
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA0F13
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA00BD
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0FAF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA0F2E
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F8A
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90F9B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E9003D
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80FAD
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80038
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80FD2
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80027
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E8000C
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F77
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2006C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F4B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F5C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F30
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200C9
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F15
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20087
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20036
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C200AE
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10065
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10FA8
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00064
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00049
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00038
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FE3
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C0001D
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02600FEF
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02600027
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02600F3C
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02600F4D
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02600F68
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02600F94
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02600053
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02600042
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02600ECE
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02600EDF
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02600EB3
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02600F79
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02600FD4
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02600F17
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0260000A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02600FB9
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02600EF0
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025F0FDE
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025F0FB2
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025F0025
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025F0FC3
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025F0000
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025F005B
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025F004A
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025E0FAD
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 025E002E
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025E0FD9
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025E0000
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025E0FBE
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025E001D
.text C:\WINDOWS\System32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025D0000
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 025C0000
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 025C0FE5
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 025C0FC0
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 025C0011
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F61
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F7C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F97
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780FA8
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078002F
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F35
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F46
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F13
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007800A2
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F02
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780071
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FCD
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780014
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780F24
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770FA8
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0077004A
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0077002F
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0077001E
.text C:\WINDOWS\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770F8D
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760031
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760F9C
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0076000C
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FE3
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FAD
.text C:\WINDOWS\system32\svchost.exe[1500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FD2
.text C:\WINDOWS\system32\svchost.exe[1500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\Program Files\Mozilla Firefox\firefox.exe[1668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F7A
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA006F
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0FA1
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA005E
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA00B1
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0094
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F29
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00CC
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0F0E
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0FB2
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0F69
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA002F
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F58
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90033
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90FA5
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90022
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90FB6
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FC7
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9004E
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80031
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80F9C
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8000C
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FB7
.text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FD2
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F7C
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0071
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C004A
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F8D
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C002F
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F55
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C009D
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00D3
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00C2
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F1F
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FA8
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C008C
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F44
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FC3
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F61
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F7C
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0F8D
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FB2
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F92
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A000C
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\system32\svchost.exe[1696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F66
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F77
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0036
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F55
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0091
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F26
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EFA
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F94
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0076
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\Explorer.EXE[2824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00AE
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDE
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[2824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0070
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A005F
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0033
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A004E
.text C:\WINDOWS\Explorer.EXE[2824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0014
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[2824] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[2824] ws2_32.dll!socket 71AB4211 5 Bytes JMP 021F0FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[760] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EE2C13] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[760] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00EE2D34] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[760] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00EE2D03] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:43 AM

Posted 26 April 2010 - 11:36 AM

That looks good,any more issues on here?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 krdavy

krdavy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 26 April 2010 - 07:16 PM

Nope. Not on this one. Thanks very much. K

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:43 AM

Posted 26 April 2010 - 11:18 PM

Excellent!!
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users