Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a redirect virus too


  • This topic is locked This topic is locked
25 replies to this topic

#1 scarey318

scarey318

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 04 May 2010 - 06:17 PM

Yes. It seems a common problem here. My computer will redirect me to a random website when clicking on search results from Yahoo or Google, etc... Last night I tried the following:
McAfee Antivirus Scan
MalwareBytes
SuperAntiSpyWare
ComboFix

I also ran Hijack this. Here is the log. Can anyone help? ( I will also include the ComboFix log at the bottom.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:08 AM, on 2010-05-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100427193744.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.17\AMVConverter\grab.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 07 May 2010 - 01:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 May 2010 - 10:11 AM

Thank you for trying to help. Here are the DDS logs. Note that one is attached as a ZIP file.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:00:17.20 on 2010-05-08
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1525 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\McciBrowser.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100427193744.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.17\amvconverter\grab.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\w6kvwvg5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-17 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-8-20 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-8-20 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-2 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-17 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-17 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-2 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-2 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-17 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-17 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-17 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-17 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-2 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-2 40552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-8-20 7408]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2009-11-2 1098968]

=============== Created Last 30 ================

2010-05-04 04:50:39 0 d-----w- C:\SDFix
2010-05-04 03:24:23 98816 ----a-w- c:\windows\sed.exe
2010-05-04 03:24:23 77312 ----a-w- c:\windows\MBR.exe
2010-05-04 03:24:23 256512 ----a-w- c:\windows\PEV.exe
2010-05-04 03:24:23 161792 ----a-w- c:\windows\SWREG.exe
2010-04-17 14:57:47 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-17 14:57:37 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-17 14:57:37 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-17 14:57:37 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-17 14:57:37 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-17 14:57:36 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-17 14:57:36 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 16:29:58 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29:58 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-14 16:29:58 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2005-06-06 05:11:56 0 --sha-w- c:\windows\sminst\HPCD.sys
2005-12-13 05:34:34 56 --sh--r- c:\windows\system32\6879C0E928.sys
2005-12-13 05:34:34 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-28 04:10:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat
2008-11-02 16:42:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110220081103\index.dat

============= FINISH: 11:02:38.04 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 08 May 2010 - 11:18 AM

Hello, scarey318
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 May 2010 - 01:37 PM

Here is the GMER log you requested.

Edited by scarey318, 09 May 2010 - 01:11 AM.


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 08 May 2010 - 11:30 PM

Please dont attach the logfiles, just post it here in the thread, and please folow my above instructions smile.gif.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 May 2010 - 01:09 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-08 14:31:34
Windows 5.1.2600 Service Pack 3
Running: zx6h8sv5.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\ufldipow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7BB5C50]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7BB5C64]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7BB5C90]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7BB5CE6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7BB5C3C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7BB5C14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7BB5C28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7BB5C7A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7BB5CBC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7BB5CA6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7BB5D10]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7BB5CFC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7BB5CD0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\cpqarray.sys entry point in ".rsrc" section [0xF789E094]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8455380, 0x346307, 0xE8000020]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF77F7300]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F5F
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F7A
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00FA1
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D0005E
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D000A7
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00080
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D000EE
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D000D3
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00F30
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00FB2
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D0006F
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000C2
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0014
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF002F
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0F8D
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0F9E
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0049
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE002E
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FD2
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FE3
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CC0FDB
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CC0011
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CC0FC0
.text C:\WINDOWS\system32\svchost.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00960082
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0096005D
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00960040
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0096002F
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00960FA8
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009600B0
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0096009F
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009600F7
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009600DC
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00960F39
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00960F8D
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00960F72
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00960FB9
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00960FCA
.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009600CB
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950051
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950025
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00950014
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950F94
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950FAF
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0007003D
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FC6
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\lsass.exe[1120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0093
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F9E
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0078
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC00AE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F66
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00DD
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F44
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC00EE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FDE
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F83
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0F55
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0F7C
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0039
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0F8D
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FA8
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0056
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FC1
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0027
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA000C
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FD2
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D10051
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02510FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02510076
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02510F77
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02510051
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02510F9E
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02510FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02510F38
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02510F55
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02510F0C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025100A5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025100C0
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02510040
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02510FDE
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02510F66
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02510025
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02510014
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02510F27
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02500FDE
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02500FA1
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02500025
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02500FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02500FB2
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02500000
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02500FC3
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [70, 8A] {JO 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02500040
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024F0FC8
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 024F0053
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024F0FE3
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024F0000
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024F0038
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024F001D
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 024D0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 024D000A
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 024D0025
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 024D0040
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024E0000
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F35
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F46
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F57
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0F72
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0F9E
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F09
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F24
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD007D
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0EE4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD008E
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0F8D
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0045
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD006C
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0047
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0FDB
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC002C
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC008E
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC007D
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0058
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FBE
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0049
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB002E
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB000C
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 040C0FEF
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 040C001B
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 040C000A
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04120FEF
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04120F4E
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04120F5F
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04120F86
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04120F97
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04120FA8
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04120079
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0412005E
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04120EF4
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04120F05
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04120EE3
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04120039
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04120FDE
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04120F3D
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04120014
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04120FC3
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!WinExec 7C86250D 3 Bytes JMP 04120F16
.text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!WinExec + 4 7C862511 1 Byte [87]
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04110036
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04110FB9
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04110025
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04110FE5
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04110076
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04110000
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04110FCA
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [31, 8C]
.text C:\WINDOWS\System32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04110051
.text C:\WINDOWS\System32\svchost.exe[1504] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02AD000A
.text C:\WINDOWS\System32\svchost.exe[1504] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02AC000A
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04100FD9
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 04100064
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0410002E
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04100000
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04100049
.text C:\WINDOWS\System32\svchost.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04100011
.text C:\WINDOWS\System32\svchost.exe[1504] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 040E0000
.text C:\WINDOWS\System32\svchost.exe[1504] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 040E001B
.text C:\WINDOWS\System32\svchost.exe[1504] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 040E0036
.text C:\WINDOWS\System32\svchost.exe[1504] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 040E0FE5
.text C:\WINDOWS\System32\svchost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 040F0FE5
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008B002C
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A2005B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20F70
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20F81
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20F9E
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20F41
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A20089
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200BF
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A200A4
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A20F0B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A2006C
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A20014
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A20F26
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E004A
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E002F
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0087
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008E0076
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0065
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D003A
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0FAF
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D000C
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D0FD4
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D0029
.text C:\WINDOWS\system32\svchost.exe[1548] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1548] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 008C0FD4
.text C:\WINDOWS\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 008C0FC3
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F66
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F81
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A4005B
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40FA8
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40040
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40F44
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F55
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F07
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F18
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40EEC
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40076
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A4002F
.text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40F29
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3002C
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F79
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30F8A
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FA5
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FC0
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FC8
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20FD9
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A2002E
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20049
.text C:\WINDOWS\system32\svchost.exe[1772] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2001D
.text C:\WINDOWS\system32\svchost.exe[1772] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1772] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1772] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1772] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[1772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\Program Files\Verizon\McciBrowser.exe[1780] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\Program Files\Verizon\McciBrowser.exe[1780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Verizon\McciBrowser.exe[1780] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 012B0FD4
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012B000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E00FE5
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E00062
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E00F77
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E00051
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E00F9E
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E00036
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E00F26
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E00F37
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E00093
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E00EFA
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E000A4
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E00FAF
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E00000
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E00F52
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E00FCA
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E0001B
.text C:\WINDOWS\Explorer.EXE[1956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E00F0B
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01DF002C
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01DF0F9E
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01DF001B
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01DF0000
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01DF0FAF
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01DF0FEF
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01DF0051
.text C:\WINDOWS\Explorer.EXE[1956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01DF0FC0
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01B90047
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!system 77C293C7 5 Bytes JMP 01B90036
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01B9001B
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01B90000
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01B90FC6
.text C:\WINDOWS\Explorer.EXE[1956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01B90FD7
.text C:\WINDOWS\Explorer.EXE[1956] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 012C0000
.text C:\WINDOWS\Explorer.EXE[1956] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 012C001B
.text C:\WINDOWS\Explorer.EXE[1956] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 012C002C
.text C:\WINDOWS\Explorer.EXE[1956] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[1956] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 012C003D
.text C:\WINDOWS\Explorer.EXE[1956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01170FEF
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01170FCD
.text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01170FDE
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011C0FA8
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011C009D
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011C0FB9
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011C006C
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011C004A
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011C00E9
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011C0F97
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011C0F61
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011C0104
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011C0F50
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011C005B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011C000A
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011C00B8
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011C002F
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011C0FD4
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011C0F86
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011B0022
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011B0F9B
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011B0011
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011B0FE5
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011B0058
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 011B0FB6
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 89]
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011B0033
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011A0081
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 011A0066
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011A003A
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011A0055
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011A001D
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01180000
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01180011
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01180FDB
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01180FCA
.text C:\WINDOWS\system32\svchost.exe[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01190000
.text C:\WINDOWS\System32\svchost.exe[2732] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2732] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001A0014
.text C:\WINDOWS\System32\svchost.exe[2732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080FEF
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0108006C
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01080051
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01080040
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0108002F
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01080FA8
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01080F50
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01080098
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010800C4
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01080F35
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010800DF
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080F97
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080000
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01080087
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01080FB9
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01080FD4
.text C:\WINDOWS\System32\svchost.exe[2732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010800B3
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070FC0
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01070F68
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01070FDB
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0107001B
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01070F79
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070000
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01070F9E
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 89]
.text C:\WINDOWS\System32\svchost.exe[2732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FAF
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060F97
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060FA8
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060FCD
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060000
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01060022
.text C:\WINDOWS\System32\svchost.exe[2732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060011
.text C:\WINDOWS\System32\svchost.exe[2732] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[2732] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[2732] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[2732] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\System32\svchost.exe[2732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\wuauclt.exe[4080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\wuauclt.exe[4080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\wuauclt.exe[4080] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BC000C
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0055
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D003A
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D000C
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D001D
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002E0025
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002E0062
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002E000A
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002E0051
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002E0040
.text C:\WINDOWS\system32\wuauclt.exe[4080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002E0FB9

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1804] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1804] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8ABC7EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSfxmp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssserf \systemroot\system32\TDSSrhym.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmqlt.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSoiqh.log

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\cpqarray.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 11 May 2010 - 11:23 AM

Please follow my above instructions to run Combofix.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 11 May 2010 - 07:29 PM

Thank you for taking the time to help. Here is the log you requested.

ComboFix 10-05-10.05 - Owner 2010-05-11 19:41:27.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1551 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security\secureprogram.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\DVD2AVI.VFP
c:\documents and settings\Owner\lame_enc.dl

Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 23:46 . 2010-05-11 23:46 -------- d-----w- c:\windows\LastGood
2010-05-07 01:42 . 2010-05-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-07 01:41 . 2010-05-07 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-05-07 01:40 . 2010-05-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-04 04:50 . 2010-05-04 05:17 -------- d-----w- C:\SDFix
2010-04-17 14:57 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-17 14:57 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-17 14:57 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-17 14:57 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-17 14:57 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-17 14:57 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-17 14:57 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 01:39 . 2010-02-07 21:09 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 01:39 . 2009-04-18 15:17 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-03 01:54 . 2008-11-08 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2008-11-08 20:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-08 20:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 14:44 . 2008-11-03 01:38 -------- d-----w- c:\program files\McAfee.com
2010-04-17 23:06 . 2009-02-27 17:49 -------- d-----w- c:\program files\Verizon
2010-04-17 22:59 . 2008-11-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-17 22:59 . 2008-11-03 01:38 -------- d-----w- c:\program files\McAfee
2010-04-17 22:57 . 2008-11-03 01:38 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-14 16:29 . 2008-11-03 01:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29 . 2008-11-03 01:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-14 16:29 . 2008-06-27 11:08 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-27 13:49 . 2005-01-21 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 15:55 . 2006-12-17 07:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-21 15:35 . 2010-03-21 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-21 15:34 . 2010-03-21 15:33 -------- d-----w- c:\program files\iTunes
2010-03-21 15:33 . 2010-03-21 15:33 -------- d-----w- c:\program files\iPod
2010-03-21 15:33 . 2010-02-07 16:43 -------- d-----w- c:\program files\Common Files\Apple
2010-03-21 15:33 . 2005-08-06 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-20 21:17 . 2009-02-27 18:04 -------- d-----w- c:\program files\Common Files\Motive
2010-03-11 12:38 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-26 16:12 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-26 16:12 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-26 16:12 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 22:41 . 2010-02-15 22:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-12 04:33 . 2004-08-26 16:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-26 16:12 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-04-14 16:29 . 2010-04-17 14:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2005-06-06 05:11 . 2005-06-06 05:11 0 --sha-w- c:\windows\SMINST\HPCD.sys
2005-12-13 05:34 . 2005-12-13 05:34 56 --sh--r- c:\windows\system32\6879C0E928.sys
2005-12-13 05:34 . 2005-12-13 05:34 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-04_03.56.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 18:07 . 2010-05-11 21:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-26 18:07 . 2010-05-04 03:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-26 18:07 . 2010-05-11 21:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2010-05-04 03:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-05 02:22 . 2010-05-11 21:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2010-05-04 03:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-26 10:54 . 2010-05-11 20:46 212880 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-07 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-10-11 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-5 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2003-9-3 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 21:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-04-17 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-08-20 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-20 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-11-02 9:42 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-04-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-04-17 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2010-04-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-04-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-04-17 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-04-17 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-04-17 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 6:30 PM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-04-17 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-04-17 83496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2009-11-02 2:17 PM 1098968]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:30]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w6kvwvg5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AB07EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf758fcb8
\Driver\atapi -> atapi.sys @ 0xf748f852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7a24bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7a31a21
SendHandler -> NDIS.sys @ 0xf7a0f87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2842785939-3157959433-4276627674-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:92,63,e3,90,a3,37,5d,3a,8a,06,1e,67,57,6e,92,6d,c7,1a,7f,a3,
f0,cc,eb,97,45,2b,4d,32,27,96,5f,9e,8a,cc,ee,ae,ee,4f,73,c4,41,7a,a5,cb,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1104)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-11 20:04:32
ComboFix-quarantined-files.txt 2010-05-12 00:04
ComboFix2.txt 2010-05-04 04:04

Pre-Run: 14,516,166,656 bytes free
Post-Run: 14,498,480,128 bytes free

- - End Of File - - 0E17108BFA076BE783509882507219DC


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 13 May 2010 - 04:58 AM

Hi,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\WINDOWS\system32\drivers\cpqarray.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 15 May 2010 - 11:21 AM

ComboFix 10-05-10.05 - Owner 2010-05-15 10:45:47.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1652 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security\secureprogram.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Security\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cpqarray.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cpqarray.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\cpqarray.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\cpqarray.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-15 13:59 . 2010-05-15 14:42 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-07 01:42 . 2010-05-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-07 01:41 . 2010-05-07 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-05-07 01:40 . 2010-05-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-04 04:50 . 2010-05-04 05:17 -------- d-----w- C:\SDFix
2010-04-17 14:57 . 2010-04-14 16:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-17 14:57 . 2010-04-14 16:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-17 14:57 . 2010-04-14 16:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-17 14:57 . 2010-04-14 16:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-17 14:57 . 2010-04-14 16:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-17 14:57 . 2010-04-14 16:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-17 14:57 . 2010-04-14 16:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 01:54 . 2008-11-08 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2008-11-08 20:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-08 20:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 14:44 . 2008-11-03 01:38 -------- d-----w- c:\program files\McAfee.com
2010-04-17 23:06 . 2009-02-27 17:49 -------- d-----w- c:\program files\Verizon
2010-04-17 22:59 . 2008-11-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-17 22:59 . 2008-11-03 01:38 -------- d-----w- c:\program files\McAfee
2010-04-17 22:57 . 2008-11-03 01:38 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-14 16:29 . 2008-11-03 01:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-14 16:29 . 2008-11-03 01:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-14 16:29 . 2008-06-27 11:08 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-27 13:49 . 2005-01-21 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 15:55 . 2006-12-17 07:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-21 15:35 . 2010-03-21 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-21 15:34 . 2010-03-21 15:33 -------- d-----w- c:\program files\iTunes
2010-03-21 15:33 . 2010-03-21 15:33 -------- d-----w- c:\program files\iPod
2010-03-21 15:33 . 2010-02-07 16:43 -------- d-----w- c:\program files\Common Files\Apple
2010-03-21 15:33 . 2005-08-06 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-20 21:17 . 2009-02-27 18:04 -------- d-----w- c:\program files\Common Files\Motive
2010-03-11 12:38 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-26 16:12 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-26 16:12 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-26 16:12 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 16:29 . 2010-04-17 14:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2005-06-06 05:11 . 2005-06-06 05:11 0 --sha-w- c:\windows\SMINST\HPCD.sys
2005-12-13 05:34 . 2005-12-13 05:34 56 --sh--r- c:\windows\system32\6879C0E928.sys
2005-12-13 05:34 . 2005-12-13 05:34 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-07 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-10-11 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-5 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2003-9-3 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 21:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-04-17 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-08-20 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-08-20 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-11-02 9:42 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-04-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-04-17 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2010-04-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-04-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-04-17 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-04-17 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-04-17 88480]
S1 MpKslc7da78a7;MpKslc7da78a7;\??\c:\windows\system32\MpEngineStore\MpKslc7da78a7.sys --> c:\windows\system32\MpEngineStore\MpKslc7da78a7.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 6:30 PM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-04-17 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-04-17 83496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [2009-11-02 2:17 PM 1098968]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:30]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 22:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w6kvwvg5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2842785939-3157959433-4276627674-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:92,63,e3,90,a3,37,5d,3a,8a,06,1e,67,57,6e,92,6d,c7,1a,7f,a3,
f0,cc,eb,97,45,2b,4d,32,27,96,5f,9e,8a,cc,ee,ae,ee,4f,73,c4,41,7a,a5,cb,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-15 11:11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 15:11
ComboFix2.txt 2010-05-12 00:04
ComboFix3.txt 2010-05-04 04:04

Pre-Run: 14,269,042,688 bytes free
Post-Run: 14,261,477,376 bytes free

- - End Of File - - 1E65F0EE1431BE4122521B910C054CFD

#12 scarey318

scarey318
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 15 May 2010 - 04:18 PM

It seems OK now. But I will test more to be sure. Let me know if I need to do anything else, or if this is finished.



#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 17 May 2010 - 02:16 PM

Hi smile.gif


Please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 21 May 2010 - 04:43 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:21 AM

Posted 22 May 2010 - 12:11 PM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users