Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with search engine re-direct


  • This topic is locked This topic is locked
10 replies to this topic

#1 JayPitts

JayPitts

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 16 May 2010 - 06:56 AM

When I use Google to perform a search and click on a link in the search results I am re-directed to another website. This occurs when I use both IE and Firefox. Here are my dds and gmer logs. Please help...Thanks, Jay
_________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by JMcRae at 4:00:02.92 on Sun 05/16/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.169 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JMcRae\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227387064687
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jmcrae\applic~1\mozilla\firefox\profiles\ssq36u0v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-19 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-19 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-19 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-19 34248]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-10-16 58240]

=============== Created Last 30 ================

2010-05-16 05:55:32 0 d-sha-r- C:\cmdcons
2010-05-16 05:52:22 77312 ----a-w- c:\windows\MBR.exe
2010-05-16 05:52:22 256512 ----a-w- c:\windows\PEV.exe
2010-05-16 05:52:21 98816 ----a-w- c:\windows\sed.exe
2010-05-16 05:52:21 161792 ----a-w- c:\windows\SWREG.exe
2010-05-16 04:54:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-15 06:50:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-15 06:49:30 0 d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-09-07 03:06:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 4:02:38.39 ===============


____________________________________________________________________________________


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 07:47:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JMcRae\LOCALS~1\Temp\kfkyakob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF347378A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF3473821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF3473738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF347374C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF3473835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF3473861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF34738CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF34738B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF34737CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF34738FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF347380D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF3473710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF3473724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF347379E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF3473937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF34738A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF347388D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF347384B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF3473923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF347390F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF3473776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF3473762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF3473877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF34737F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF34738E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF34737E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF34737B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF8369780]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7C253BF]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0082
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0067
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F61
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF009D
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F3C
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00D5
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00F0
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F7C
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00C4
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0FB6
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE007D
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0038
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0027
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FD2
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FE3
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[432] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC006E
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F68
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC00A4
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00D5
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F3C
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F2B
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0093
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0073
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FDB
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0058
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0047
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA004B
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0029
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA003A
.text C:\WINDOWS\system32\svchost.exe[504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0018
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB6
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700E3
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700D2
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F5B
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700F4
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F40
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FD1
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F9B
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F76
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005004E
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005003D
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005002C
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F46
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F57
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70F72
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70F83
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FAF
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70067
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F2B
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700B1
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70096
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70EFD
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70F94
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70056
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FC0
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70F0E
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60065
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 88]
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50038
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D50FAD
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FD2
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50027
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50FE3
.text C:\WINDOWS\system32\lsass.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F900A9
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90098
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90087
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90051
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F88
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F99
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F9010D
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900FC
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90132
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F9006C
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F900C4
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F900E1
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80051
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8007D
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FDB
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F8006C
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F7003F
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F7002E
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FC8
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F7001D
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FE3
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C600C6
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C600AB
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60FD1
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6008E
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60062
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F94
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600F7
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F68
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60108
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60073
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60047
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F79
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C5006C
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50FAF
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FB7
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FD2
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40027
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40038
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C4000C
.text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E10FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E10F70
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E1005B
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E10F8D
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E10F9E
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E1002F
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E10080
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E10F44
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E10F02
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E1009B
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E100B6
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E10040
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E10FDE
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E10F55
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E10FC3
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E10014
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E10F13
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02730FCD
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02730054
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0273001E
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02730FDE
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02730FA1
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02730FEF
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02730043
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02730FBC
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02720016
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 02720F95
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02720FB7
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02720FEF
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02720FA6
.text C:\WINDOWS\System32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02720FDE
.text C:\WINDOWS\System32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02710FEF
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 025E0000
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 025E001B
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 025E0FEF
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 025E0036
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F5F
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F70
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650039
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650080
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F44
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500B9
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F16
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650EFB
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0065006F
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FCD
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F27
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F80
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FDB
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640011
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F9B
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064003D
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FB6
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630042
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FC1
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FD2
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630027
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063000C
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F50FEF
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F50073
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F50062
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F50051
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F50F94
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F50FAF
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F500A6
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F50095
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F50F17
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F50F32
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01F500D5
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01F50036
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01F5000A
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01F50084
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01F5001B
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01F50FD4
.text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01F50F4D
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0162001B
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01620F80
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01620FCA
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01620000
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01620047
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01620FE5
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0162002C
.text C:\WINDOWS\Explorer.EXE[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01620FA5
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01610FB9
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!system 77C293C7 5 Bytes JMP 01610044
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01610029
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01610FEF
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01610FD4
.text C:\WINDOWS\Explorer.EXE[1392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01610018
.text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 015F0FEF
.text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 015F0014
.text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 015F0FD4
.text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 015F002F
.text C:\WINDOWS\Explorer.EXE[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01600FEF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0F5C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C005B
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0F77
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0F94
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C006C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F24
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00B3
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C00A2
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C00C4
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0FAF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FDB
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F41
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C002C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0011
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0091
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0040
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0025
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008B0076
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B005B
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0FC8
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0049
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0027
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0038
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A000C
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40067
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F8D
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40FA8
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40040
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A4009F
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F57
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F17
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F32
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400CB
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40082
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FCA
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A400B0
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F86
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30F97
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FA8
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FA6
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20FB7
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FD2
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20027
.text C:\WINDOWS\system32\svchost.exe[1556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\svchost.exe[1556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 [F835CB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F835CB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F835CB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [F835CB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F835CB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----







BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 17 May 2010 - 03:44 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 JayPitts

JayPitts
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 17 May 2010 - 07:52 PM

Thank you for your assistance Gringo.

I had some trouble downloading Combofix.exe. The first time I tried it I received an error saying that McAffee thought it was an "Artemis virus". Then I tried it again and every time I tried to click on the download link I receive an error saying the webpage was down or some error like that. I eventually was able to download it.

When I ran combofix I receive the message saying it was going to scan for viruses and that this could take 10 mins or longer. After a little while it said that it "detected rootkit activity and needed to reboot". It shut down and rebooted and then the same blue box appeared saying it was scanning for viruses and it could take 10 mins or longer. Just before the first step started I received a message from McAfee saying it detected the "Eicar Test File" virus and I think it said that it quarantined it or something. I had disabled McAfee so I'm not sure why it picked this up. Then combofix proceeded to run through all the steps and produced the attached log.

The re-direct problem still exists and nothing has changed.

Please let me know what to do next....Thanks, Jay

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 17 May 2010 - 09:17 PM

Greetings

Looks like this is not going to go away easy - Lets do the following


TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 JayPitts

JayPitts
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 17 May 2010 - 09:53 PM

Gringo -

I followed your instructions and ran TDSSKiller. It worked without any issues and I have attached the log. I tested google to see if the problem was still occurring and it was not. I tested both IE an Firefox and neither time was I re-directed to another site when I clicked a link in the search results.

Does this mean I'm cured? I am worried the problem is still lingering waiting to re-appear.

Thanks,
Jay

Attached Files



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 17 May 2010 - 10:07 PM

Hello JayPitts

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Extra report from combofix
    2. Log From MBAM
    3. Log From ESET Online Scanner
    4. let me know of any problems you may have had
    5. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 JayPitts

JayPitts
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 18 May 2010 - 06:31 AM

Gringo -

I followed your instructions and had no problems. Still no re-directs and the pc seems to be acting fine. I have pasted the extra combofix log below and have attached the Malwarebtes log. Eset was clear and found no problems. It took 2.02 hrs to run but it did not produce a log or it wasn't where you said it would be in your note.

Thanks,
Jay

___________________________________________________________

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
ATI Control Panel
ATI Display Driver
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Full Tilt Poker
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Software Update
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
Java Auto Updater
Java™ 6 Update 2
Java™ 6 Update 20
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McDougal Littell EasyPlanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft WinUsb 1.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.3)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero BurnRights
Nero OEM
PANTECH PC Card Software
PowerDVD
QuickTime
Recovery Software Suite Gateway
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoftV92 Data Fax Modem with SmartCP
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

Attached Files



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 18 May 2010 - 01:31 PM

Greetings

These logs look good.

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0
    Full Tilt Poker
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2
    Java Auto Updater
    Java™ 6 Update 2
    Java™ 6 Update 5
    Java™ SE Runtime Environment 6 Update 1

    Java™ 6 Update 20<--do not remove


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and useing often.

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 JayPitts

JayPitts
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 18 May 2010 - 04:15 PM

Gringo -

Here's an update to your last post:

1) Uninstall some programs: Everything on your list has been uninstalled except for "Java Auto Updater" because I didn't have this program and Full Tilt Poker because I love to play poker.

2) Adobe has been updated

3) Defogger: I was never asked to dis-able my emulation drivers or download defogger so I skipped this step

4) Combofix has been uninstalled

5) I successfully ran OTCleanIt

6) I followed the steps to restore the system points

7) I followed the steps to make IE more secure

8) I turned automatic Updates on

9) I'll pass on installing antispyware and will continue to use McAffee and periodically run a scan with Malewarebytes.

Thank you very much for your assistance.

Thanks,
Jay

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 18 May 2010 - 04:29 PM

Thank you very much for your assistance. - you are very welcome and stay safe

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 PM

Posted 21 May 2010 - 01:18 PM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users