Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan.Fraudpack and others?


  • This topic is locked This topic is locked
4 replies to this topic

#1 jf2

jf2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 25 May 2010 - 10:01 PM

I have a major virus, but from what I have seen on other boards it is a known one. (Note: I have not posted to other boards)

McAfee alerted me to an infection that it quarantined. I did not catch the name.

I did a full system scan with McAfee and found nothing more.

I did a scan with Malaware Bytes and it found and quarantined:

Rootkit.TDSS.Gen
Rogue.Antivirussuite.gen
Trojan.Fraudpack

Then after another restart, Windows began to launch slowly, with a blank desktop (but my current wallpaper) visible for 30 seconds or so, and then the classic windows theme, rather than XP launched.

I am also getting redirects and automatically launching junk pages.

I have been unable to complete a GMER scan. This happened last year when I got virus support from another site. At a certain point in the process, I get a BSOD and the system either locks or restarts. The same thing happens in safe mode, although I got deeper into a scan and there were NO ITEMS HIGHLIGHTED IN RED. The other site also tried a randomly named GMER to no avail. The GMER/Ark log here is from start up only. If you would like to get a more complete scan, please tell me what to try.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jonathan Fiedler at 10:35:01.92 on Tue 05/25/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.414 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jonathan Fiedler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518110629.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\jonathan fiedler\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonath~1\applic~1\mozilla\firefox\profiles\xxbuba6j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\jonathan fiedler\application data\mozilla\firefox\profiles\xxbuba6j.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\jonathan fiedler\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npaxctrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 385880]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-28 207792]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-13 82952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-28 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-22 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-13 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-13 141792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-13 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-22 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-22 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-13 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-13 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-22 40552]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-28 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-28 1141712]

=============== Created Last 30 ================

2010-05-25 14:32:39 0 ----a-w- c:\documents and settings\jonathan fiedler\defogger_reenable
2010-05-05 14:36:59 60688 ----a-w- c:\windows\system32\SYSINFO.OCX
2010-05-05 14:31:08 0 d-----w- C:\Worden

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-02-26 05:43:57 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-02-26 05:43:55 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll

============= FINISH: 10:36:49.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:52 PM

Posted 26 May 2010 - 11:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 jf2

jf2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 27 May 2010 - 09:46 AM

Hi and thanks so much for the volunteer service that you provide. It's amazing.

I have a major virus/trojan/hijack, but from what I have seen on other boards it is a known one. (Note: I have not posted to other boards)

McAfee alerted me to an infection that it quarantined. I did not catch the name.

I did a full system scan with McAfee and found nothing more.

I did a scan with Malaware Bytes and it found and quarantined:

Rootkit.TDSS.Gen
Rogue.Antivirussuite.gen
Trojan.Fraudpack

Then after another restart, Windows began to launch slowly, with a blank desktop (but my current wallpaper) visible for 30 seconds or so, and then the classic windows theme, rather than XP launched.

I am also getting redirects and automatically launching junk pages.

I have been unable to complete a GMER scan. This happened last year when I got virus support from another site. At a certain point in the process, I get a BSOD and the system either locks or restarts. The same thing happens in safe mode, although I got deeper into a scan and there were NO ITEMS HIGHLIGHTED IN RED. I have tried the randomly named GMER file. I read somewhere to try running a scan with "files" unchecked. I did that a completed the scan. So, the log here is with files unchecked. If you would like to get a more complete scan, please tell me what to try.

The directions I was given in the previous reply were different than the directions given on the main directions forum. I wasn't sure which to do, so essentially I am doing both. Below you will find my DDS log and my GMER log. Attached is attach.txt and the GMER log as ark.txt.

I hope I did everything needed to begin a cleaning. Thanks so much.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jonathan Fiedler at 1:10:42.71 on Thu 05/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.604 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jonathan Fiedler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518110629.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\jonathan fiedler\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonath~1\applic~1\mozilla\firefox\profiles\xxbuba6j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\jonathan fiedler\application data\mozilla\firefox\profiles\xxbuba6j.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\jonathan fiedler\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npaxctrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 385880]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-28 207792]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-13 82952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-28 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-22 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-13 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-13 141792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-13 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-22 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-22 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-13 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-13 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-13 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-22 40552]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-28 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-28 1141712]

=============== Created Last 30 ================

2010-05-25 14:32:39 0 ----a-w- c:\documents and settings\jonathan fiedler\defogger_reenable
2010-05-05 14:36:59 60688 ----a-w- c:\windows\system32\SYSINFO.OCX
2010-05-05 14:31:08 0 d-----w- C:\Worden

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-02-26 05:43:57 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-02-26 05:43:55 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll

============= FINISH: 1:12:07.75 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-27 10:17:40
Windows 5.1.2600 Service Pack 3
Running: nsbzknrv.exe; Driver: C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\kxryruoc.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys ZwCreateKey [0xF7314E52]
SSDT PCTCore.sys ZwCreateProcess [0xF72F5CDE]
SSDT PCTCore.sys ZwCreateProcessEx [0xF72F5ED0]
SSDT PCTCore.sys ZwDeleteKey [0xF7315640]
SSDT PCTCore.sys ZwDeleteValueKey [0xF73158F4]
SSDT PCTCore.sys ZwOpenKey [0xF7313B44]
SSDT PCTCore.sys ZwRenameKey [0xF7315D60]
SSDT PCTCore.sys ZwSetValueKey [0xF7315112]
SSDT PCTCore.sys ZwTerminateProcess [0xF72F5984]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7355E4A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7355D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7355D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7355E20]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7355E60]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7355E34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C006E
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0036
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F41
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0089
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F04
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F15
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EF3
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F5E
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0011
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F30
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40FCA
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40058
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40FA5
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D3004E
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30018
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30033
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00800027
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00800038
.text C:\WINDOWS\system32\svchost.exe[220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[656] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[656] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770065
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770054
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F86
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770043
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770FB2
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00770F4B
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770087
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700BF
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007700AE
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00770F0B
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00770FA1
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770076
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00770F30
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760FAF
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760044
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760033
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00760022
.text C:\WINDOWS\system32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F005F
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F003A
.text C:\WINDOWS\system32\svchost.exe[656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F001D
.text C:\WINDOWS\system32\svchost.exe[656] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[656] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[656] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0031
.text C:\WINDOWS\system32\svchost.exe[656] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0042
.text C:\WINDOWS\system32\svchost.exe[656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00790000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005002C
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0004006E
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0004005D
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040F8A
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040090
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F48
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F08
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400A1
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040EF7
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040F79
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0004007F
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FC0
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F2D
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00820FB2
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00820039
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00820FC3
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00820FD4
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00820F86
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00820028
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00820F97
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003C0058
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 003C0047
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003C0011
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003C0000
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003C002C
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003C0FE3
.text C:\WINDOWS\system32\services.exe[1148] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1148] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1148] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[1148] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00070031
.text C:\WINDOWS\system32\services.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F69
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F7A
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040054
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F97
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FC3
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040085
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F3D
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F22
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400BB
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040F11
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FB2
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F4E
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400A0
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30073
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30058
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D30047
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D3002C
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0F92
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0027
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FE3
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1160] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\lsass.exe[1160] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[1160] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\lsass.exe[1160] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00070FAD
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10054
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10039
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E10F55
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10F7C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10F9E
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E10F1D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E1006F
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E10094
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E10EF1
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E10ED6
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E10F8D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E10FDE
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E10F44
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E10014
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E10FB9
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E10F02
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02450047
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02450FCA
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0245002C
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0245001B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02450FDB
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0245000A
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02450073
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02450062
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E5003F
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E5002E
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FD2
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E5001D
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FE3
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E40FCF
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007F0F86
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007F007B
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007F0F97
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007F0054
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007F002F
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007F00A2
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007F0F5A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007F00E2
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007F00C7
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007F0F2E
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007F0FA8
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007F0F6B
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007F0FC3
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007F0F3F
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20F9E
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20065
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20040
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E2002F
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10FA8
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E10033
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E10FCD
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E10022
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10FDE
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E00FC3
.text C:\WINDOWS\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E00FA8
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00760022
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F79
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0078
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F4D
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0089
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F2B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00C4
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F1A
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F5E
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FDB
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C002C
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F3C
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0079006C
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0079005B
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00790FAF
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 88]
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00790FC0
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780FC3
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 0078004E
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780033
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780018
.text C:\WINDOWS\system32\svchost.exe[1472] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1472] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1472] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1472] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00770FC8
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00800FC0
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007F0F6B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007F0060
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007F0F86
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007F0F97
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007F002F
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007F0F22
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007F0F49
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007F00B1
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007F0096
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007F0EFD
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007F0FB2
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007F0F5A
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007F0FCD
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007F0085
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007E0062
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007E0F9B
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007E0047
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007E002C
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30044
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30055
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30029
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 001C0FCD
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 001C0FB2
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 027A0000
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 027A001B
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 027A0FE5
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\Explorer.EXE[1856] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0279000A
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0279008E
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0279007D
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 02790FA3
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [85]
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02790FC0
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02790058
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027900AB
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02790F63
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02790F37
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027900D0
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027900E1
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02790FDB
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0279001B
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02790F74
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02790047
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02790036
.text C:\WINDOWS\Explorer.EXE[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02790F48
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02930FB9
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02930039
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0293000A
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02930FD4
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02930F7C
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02930FEF
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02930F8D
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 8A] {MOV BL, 0x8a}
.text C:\WINDOWS\Explorer.EXE[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02930FA8
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02920FCD
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 0292004E
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02920022
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02920000
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0292003D
.text C:\WINDOWS\Explorer.EXE[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02920011
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 027C000A
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 027C001B
.text C:\WINDOWS\Explorer.EXE[1856] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 027C0FD4
.text C:\WINDOWS\Explorer.EXE[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027B0000
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04000FE5
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04000011
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04000000
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03FF0000
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03FF0F8F
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03FF0084
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03FF0073
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03FF0FB6
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03FF0047
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03FF00C6
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03FF0F7E
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03FF0F63
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03FF00FC
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03FF0F48
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03FF0058
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03FF00A9
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03FF002C
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03FF001B
.text C:\WINDOWS\system32\svchost.exe[1924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03FF00EB
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04050FD1
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0405005F
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0405002C
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0405001B
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04050FAC
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04050000
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0405004E
.text C:\WINDOWS\system32\svchost.exe[1924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0405003D
.text C:\WINDOWS\system32\svchost.exe[1924] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1924] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04040FB2
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 04040FC3
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04040022
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04040000
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04040033
.text C:\WINDOWS\system32\svchost.exe[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04040011
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0403000A
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 04030FE5
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0403001B
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 04030036
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04020FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0091
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0080
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FA6
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0051
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00A2
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F5A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F3F
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00CE
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F2E
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F81
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0040
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00BD
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F8A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930051
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F88
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00800016
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3744] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\Session Manager@PendingFileRenameOperations ???*????? ???????&?????&?? ??,? ????????X???&????????????????????4?????&?????&??? ???????????????????&? ??????????<? ???????O???????????????????????? ???????&??????????????????????????&????????????????????4?????&????COM5?????&???&??? ???????&????????????? ?????????????????f??SW\{4245ff73-1db4-11d2-86e4-98ae20524153}???{8??? ???????&??????????????????????R?????????????s???????"??&???p????????????N??(???4???>??? ???????????????????&? ???????????? ???????0???????????????????????? ???????&?????M?????&????$?????????N????????????????????????????????????????????&??{17CCA71B-ECD7-11D0-B908-00A0C9223196}???4??Microsoft Kernel Acoustic Echo Canceller????? ???????&??????????????????????????&?????????????????????????R??&???0???????4??.NT??J???&??? ???????????????????&? ???????????? ???????0???????????????????????? ???????&????????????????????>?N??????????????4?&???????&??????????ql???????J???&??? ???????&?????M?????&????$?????????N???????????????????????????????????????????? ???????&????????????????????>?R?????????????s

---- EOF - GMER 1.0.15 ----

Attached Files



#4 jf2

jf2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 May 2010 - 08:01 PM

I am receiving help from a different source.

I hope to not need the services here another time, but I am glad to know that they exist.

Thank you all for donating your time with virus/adware eradication and education.

You provide an amazing service.

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:52 PM

Posted 29 May 2010 - 09:51 AM

Thanks for letting me know smile.gif

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users