Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request for assistance with Google redirect problem


  • This topic is locked This topic is locked
15 replies to this topic

#1 Zhang Fei

Zhang Fei

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 09 June 2010 - 09:32 AM

Hi there. I'm running into this Google redirect problem for select searches, and would be grateful for help from one of the volunteers here. Here are my dds.scr and gmer.exe logs:

dds.scr

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Gryphon at 8:54:11.64 on Wed 06/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.162 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\gryphon.blue-thunder\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [VOBRegCheck] c:\windows\system32\VOBREGCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\grypho~2.blu\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\grypho~2.blu\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192469665762
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238789394221
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {082E2A9E-43D8-87ED-3807-CA4CF244EFFB} - Disabled
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grypho~2.blu\applic~1\mozilla\firefox\profiles\953ulvw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\gryphon.blue-thunder\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_new.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {2664CF80-3C6D-4EAC-BA02-95887A89DABE} - c:\documents and settings\gryphon.blue-thunder\local settings\application data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 61440]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-10-15 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-10-15 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-10-15 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-10-15 168776]
S3 b5c4F;b5c4F;c:\windows\system32\b5c4F.sys [2009-5-3 54624]
S3 flash;flash;\??\c:\download\acer extensa 4420 drivers\bios\bios_v1.18\flash.sys --> c:\download\acer extensa 4420 drivers\bios\bios_v1.18\flash.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\33.tmp --> c:\windows\system32\33.tmp [?]
S3 NAVAP;NAVAP;\??\c:\windows\system32\drivers\navap.sys --> c:\windows\system32\drivers\NAVAP.SYS [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2007-10-15 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2007-10-15 5248]

=============== Created Last 30 ================

2010-06-07 03:22:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-07 03:17:57 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 18:41:11 86 ----a-w- c:\windows\wininit.ini
2010-06-02 16:41:17 54 ----a-w- c:\documents and settings\gryphon.blue-thunder\defogger_reenable
2010-06-02 16:20:54 77312 ----a-w- C:\mbr.exe
2010-06-01 11:25:17 0 ----a-w- c:\windows\Kzelolubupovilo.bin
2010-06-01 11:25:16 120 ----a-w- c:\windows\Xnoqevusukase.dat

==================== Find3M ====================

2010-05-12 02:24:46 553914783 ----a-w- C:\DATA.zip
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 02:31:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-05-04 03:38:28 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-13 20:49:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat
2008-09-04 20:03:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-09-04 20:03:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-09-04 20:03:04 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:56:42.26 ===============


gmer.exe

QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-09 07:55:52
Windows 5.1.2600 Service Pack 3
Running: randomfilename8385.exe; Driver: C:\DOCUME~1\GRYPHO~2.BLU\LOCALS~1\Temp\kglcafoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE858900]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED60A35B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xED60A2DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED60A385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED60A2EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED60A31B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED60A3AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED60A2C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED60A36F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED60A305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xED60A331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED60A347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED60A3C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED60A399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP ED60A39D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP ED60A2CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP ED60A35F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP ED60A2DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP ED60A373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP ED60A335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP ED60A3C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP ED60A3B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP ED60A34B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP ED60A31F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP ED60A2F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP ED60A389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP ED60A309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
C:\Program Files\CyberLink\PowerDVD\000.fcl entry point in "" section [0xED86A000]
.clc C:\Program Files\CyberLink\PowerDVD\000.fcl unknown last section [0xED86B000, 0x1000, 0x00000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F8B
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F9C
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0076
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD005B
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F69
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F7A
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F2C
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F3D
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00D6
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD004A
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD009B
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002F
.text C:\WINDOWS\Explorer.EXE[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F4E
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F68
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F8D
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\Explorer.EXE[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB005F
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0044
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0022
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0033
.text C:\WINDOWS\Explorer.EXE[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0011
.text C:\WINDOWS\Explorer.EXE[580] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00B90000
.text C:\WINDOWS\Explorer.EXE[580] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00B9001B
.text C:\WINDOWS\Explorer.EXE[580] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\Explorer.EXE[580] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\Explorer.EXE[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700E9
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F35
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA1
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB2
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050018
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40FA8
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4009D
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F77
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400BF
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F5C
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C400F5
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40110
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40065
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C400AE
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\lsass.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400DA
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30FB2
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C3006F
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FCD
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\lsass.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20053
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FC8
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FD9
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C2002E
.text C:\WINDOWS\system32\lsass.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20011
.text C:\WINDOWS\system32\lsass.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F500D0
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F500B5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F500A4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50FDB
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50058
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50FA3
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50FC0
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50110
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F81
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F5012B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F5007D
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F500E1
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50047
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5002C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F92
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0F9C
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0FAD
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0027
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0FD2
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC00A4
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0073
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F77
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F30
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F41
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00E4
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00BF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F66
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB003D
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0084
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0FC7
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0073
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0058
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0033
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0022
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F48
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F59
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE003D
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F80
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0086
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE006B
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F0F
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00B2
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EFE
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE002C
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE004E
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00A1
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0025
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0040
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FBE
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0049
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC000C
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC002E
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC001D
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00BA001B
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00BA0036
.text C:\WINDOWS\System32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E10000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E1007A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E10F85
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E10FAC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E10069
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E1003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E10095
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E10F59
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E10F28
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E100B7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E10F17
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E1004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E10011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E10F6A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E10022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E10FD1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E100A6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01DF0FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01DF0F5E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01DF0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01DF0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01DF001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01DF0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01DF000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01DF0F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01DE0FAB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 01DE0FBC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01DE0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01DE0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01DE0FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01DE000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01DD0000
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0288000A
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02880F41
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02880F52
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02880F6D
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02880036
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02880FAF
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02880073
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02880062
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028800BA
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028800A9
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028800D5
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02880F94
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02880FE5
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02880051
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02880FCA
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02880025
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0288008E
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0287001B
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02870FA5
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02870FCA
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02870FE5
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02870062
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02870000
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02870047
.text C:\WINDOWS\System32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02870036
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 021A0066
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 021A0055
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 021A003A
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 021A000C
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 021A0FE5
.text C:\WINDOWS\System32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 021A0029
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02190FE5
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02080FE5
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02080000
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0208001B
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02080FC0
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F72
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F8D
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D1005B
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1004A
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10025
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F30
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F57
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10EF3
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F0E
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10EE2
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FDE
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10082
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1000A
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F1F
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FA1
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00025
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00FB2
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00054
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FCD
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FBE
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FCF
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF002E
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF003F
.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF001D
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0FEF
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[1632] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 103B13C0 C:\Program Files\Veoh Networks\VeohWebPlayer\QtWebKit4.dll
.text C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe[1632] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 103B1430 C:\Program Files\Veoh Networks\VeohWebPlayer\QtWebKit4.dll
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F50
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F61
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F72
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D002F
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F24
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D006A
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D00A2
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0091
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00B3
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F3F
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F13
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C004A
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0039
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0F97
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BC, 88]
.text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C0FB2
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0F9C
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0FAD
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B0FC8
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B0027
.text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B0FE3
.text C:\WINDOWS\System32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[1864] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F80
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F9B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FAC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC005F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00A6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F5E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00D2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00B7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00ED
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC004E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F6F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FD1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0F43
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D0087
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008D0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008D005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2228] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0FEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[2612] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1005B
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C1004A
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C1002F
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F72
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FA8
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F26
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C1006C
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100A4
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10093
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10EF0
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10F8D
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[2680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F15
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0002C
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C0007A
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00011
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00069
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00058
.text C:\WINDOWS\System32\svchost.exe[2680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00047
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF003D
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0011
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FE3
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0022
.text C:\WINDOWS\System32\svchost.exe[2680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [614A9D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [614A9CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1656] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbhub \Device\00000078 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000079 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\usbohci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007a hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007b hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Attached Files



BC AdBot (Login to Remove)

 


#2 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 12 June 2010 - 10:51 PM

The Google redirection appears mainly to be to this website - http://www.2010softwarereports.com. My infection either coincided with or was part of a Vundo virus that I got rid of with a combination of Mcafee, Microsoft Onecare Protection Scan, Trendmicro's online scanner and Malwarebytes. The problem is that this Google redirection virus simply will not go away, and can't be detected, let alone cleaned, by any of the above antivirus software. Because I have no idea what's lurking underneath (keyloggers, worms, backdoors), I've stopped using the infected computer, pending a resolution of the problem.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 14 June 2010 - 03:01 AM

Hi Zhang Fei,

Welcome to Virus/Trojan/Spyware/Malware Removal forum.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
cd\
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start c:\mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#4 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 14 June 2010 - 10:18 PM

(First off, thanks in advance for helping me with this problem). The following is what I got in response:

QUOTE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x870202D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x870202d8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 05:03 AM

Please download TDSSKiller.exe and save it to your desktop.
Run the tool and let reboot if needed.
There will be a log on C: drive (TDSSKiller-some numbers-.txt). Please post or attach the log.
Reboot the computer once manually then run look.bat again and post he log it makes.

#6 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 15 June 2010 - 06:00 AM

Here's the TDSSKiller.exe log file:

QUOTE
05:51:25:115 1148 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
05:51:25:115 1148 ================================================================================
05:51:25:115 1148 SystemInfo:

05:51:25:115 1148 OS Version: 5.1.2600 ServicePack: 3.0
05:51:25:115 1148 Product type: Workstation
05:51:25:115 1148 ComputerName: BLUE-THUNDER
05:51:25:115 1148 UserName: Gryphon
05:51:25:115 1148 Windows directory: C:\WINDOWS
05:51:25:115 1148 Processor architecture: Intel x86
05:51:25:115 1148 Number of processors: 1
05:51:25:115 1148 Page size: 0x1000
05:51:25:115 1148 Boot type: Normal boot
05:51:25:115 1148 ================================================================================
05:51:27:368 1148 Initialize success
05:51:27:368 1148
05:51:27:368 1148 Scanning Services ...
05:51:28:170 1148 Raw services enum returned 371 services
05:51:28:230 1148
05:51:28:230 1148 Scanning Drivers ...
05:51:30:443 1148 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
05:51:30:573 1148 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
05:51:30:673 1148 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:51:30:773 1148 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
05:51:30:823 1148 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:51:31:024 1148 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
05:51:31:494 1148 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
05:51:31:624 1148 AgereSoftModem (35c391e40471a0b479328fc7b1b5f40f) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
05:51:31:925 1148 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
05:51:32:295 1148 asapiW2k (875f9079cabee679d34b49e466b61701) C:\WINDOWS\system32\DRIVERS\asapiW2k.sys
05:51:32:546 1148 ASPI32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
05:51:32:776 1148 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:51:32:826 1148 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:51:32:826 1148 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
05:51:33:107 1148 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
05:51:33:487 1148 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:51:33:567 1148 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:51:33:637 1148 b5c4F (43b0076b3ab8996b84d2cc8f990b582f) C:\WINDOWS\system32\b5c4F.sys
05:51:33:828 1148 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
05:51:33:978 1148 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:51:34:048 1148 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:51:34:148 1148 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:51:34:318 1148 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:51:34:358 1148 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:51:34:489 1148 ctac32k (4b6096745f72b4fd36514617e2ea5d37) C:\WINDOWS\system32\drivers\ctac32k.sys
05:51:34:759 1148 ctaud2k (3576ec792347ed15699f6d830e0f5437) C:\WINDOWS\system32\drivers\ctaud2k.sys
05:51:34:829 1148 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
05:51:35:089 1148 ctprxy2k (097d42574e3c6d98cd5a2ee7647fa6bf) C:\WINDOWS\system32\drivers\ctprxy2k.sys
05:51:35:500 1148 ctsfm2k (c58a2507ef62b20b9bd670c666088b50) C:\WINDOWS\system32\drivers\ctsfm2k.sys
05:51:35:700 1148 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:51:35:861 1148 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:51:35:991 1148 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:51:36:041 1148 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:51:36:361 1148 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:51:36:481 1148 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:51:36:562 1148 ElbyCDIO (e4788e5b3e5f0a0bbb318a9c426c2812) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
05:51:36:752 1148 ElbyDelay (0b15894b0698abcac9f19d060119d1d0) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
05:51:36:972 1148 emupia (a9d94b89372f3f9609a1a5eec631a260) C:\WINDOWS\system32\drivers\emupia2k.sys
05:51:37:192 1148 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:51:37:443 1148 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
05:51:37:683 1148 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:51:37:813 1148 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
05:51:37:924 1148 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
05:51:38:024 1148 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:51:38:064 1148 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:51:38:114 1148 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
05:51:38:174 1148 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
05:51:38:374 1148 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:51:38:484 1148 ha10kx2k (dc9847cdc43665ed4cc780947516209c) C:\WINDOWS\system32\drivers\ha10kx2k.sys
05:51:38:705 1148 hcmon (2084888f800fb1c1e514fd6da168b5b3) C:\WINDOWS\system32\drivers\hcmon.sys
05:51:38:875 1148 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
05:51:39:015 1148 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:51:39:175 1148 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:51:39:225 1148 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:51:39:366 1148 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
05:51:39:466 1148 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:51:39:516 1148 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:51:39:626 1148 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:51:39:766 1148 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:51:39:836 1148 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:51:39:876 1148 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:51:39:946 1148 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:51:40:157 1148 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
05:51:40:217 1148 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:51:40:297 1148 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:51:40:467 1148 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
05:51:40:557 1148 mfeapfk (1f334eb2a13816df45671ebb98896da7) C:\WINDOWS\system32\drivers\mfeapfk.sys
05:51:40:688 1148 mfeavfk (8a1dedbbdad33587f6fad780ce4b34b5) C:\WINDOWS\system32\drivers\mfeavfk.sys
05:51:40:718 1148 mfebopk (d800e31a019a6979698eef0507baa746) C:\WINDOWS\system32\drivers\mfebopk.sys
05:51:40:878 1148 mfehidk (0ae14fab8e25c258c6ebf3827c649273) C:\WINDOWS\system32\drivers\mfehidk.sys
05:51:41:098 1148 mferkdk (e72afc5056f6804c616e7dc32a38945f) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
05:51:41:559 1148 mfetdik (a47f0f63e92730de15d41624ab998c5c) C:\WINDOWS\system32\drivers\mfetdik.sys
05:51:41:639 1148 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:51:41:719 1148 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:51:41:829 1148 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:51:41:899 1148 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
05:51:42:150 1148 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:51:42:370 1148 MpFilter (dfa1cd670ea50a21c87c92c727c50950) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
05:51:43:061 1148 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:51:43:171 1148 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
05:51:43:502 1148 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:51:43:552 1148 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:51:43:602 1148 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:51:43:852 1148 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:51:43:932 1148 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:51:44:072 1148 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
05:51:44:163 1148 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
05:51:44:193 1148 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:51:44:233 1148 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:51:44:303 1148 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:51:44:463 1148 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
05:51:44:553 1148 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
05:51:44:633 1148 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:51:44:884 1148 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:51:45:144 1148 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:51:45:314 1148 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:51:45:374 1148 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:51:45:424 1148 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:51:45:575 1148 ossrv (f29184bdc81c398b6027a67ff6a19895) C:\WINDOWS\system32\drivers\ctoss2k.sys
05:51:45:895 1148 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys
05:51:46:165 1148 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
05:51:46:266 1148 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:51:46:536 1148 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:51:46:646 1148 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:51:46:926 1148 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
05:51:47:087 1148 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:51:47:517 1148 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
05:51:48:429 1148 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:51:48:469 1148 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:51:48:559 1148 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:51:48:629 1148 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
05:51:48:789 1148 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:51:48:849 1148 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:51:49:009 1148 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:51:49:080 1148 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:51:49:130 1148 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
05:51:49:160 1148 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:51:49:210 1148 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
05:51:49:380 1148 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
05:51:49:620 1148 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:51:49:771 1148 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
05:51:49:921 1148 SASKUTIL (f81ea209a3e43c33f99ff89ebab82d93) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
05:51:50:401 1148 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\WINDOWS\system32\drivers\SCDEmu.sys
05:51:50:932 1148 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:51:51:032 1148 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
05:51:51:092 1148 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
05:51:51:153 1148 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:51:51:263 1148 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
05:51:51:373 1148 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
05:51:51:443 1148 SISNICXP (a1348a901a44760ccd76043525e851d0) C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
05:51:51:603 1148 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:51:51:643 1148 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:51:51:773 1148 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
05:51:51:824 1148 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:51:51:894 1148 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:51:52:354 1148 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:51:52:504 1148 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:51:52:655 1148 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:51:52:915 1148 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:51:53:145 1148 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:51:53:816 1148 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:51:54:267 1148 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
05:51:54:808 1148 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:51:55:028 1148 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:51:55:459 1148 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
05:51:55:779 1148 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
05:51:56:140 1148 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:51:56:250 1148 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
05:51:56:380 1148 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:51:56:801 1148 vmci (bf327b6ae50c0d5d1cc7aa49cf56c9f3) C:\WINDOWS\system32\Drivers\vmci.sys
05:51:57:291 1148 vmkbd (47755d44592212c8e609b0bb36227a4b) C:\WINDOWS\system32\drivers\VMkbd.sys
05:51:57:862 1148 VMnetAdapter (898706a05d20b706848a440961c52436) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys
05:51:58:413 1148 VMnetBridge (5692cbd2a25e04c62707bfc311884b65) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys
05:51:58:874 1148 VMnetuserif (6a1b3f7d9e25929fd42712ab80aebf62) C:\WINDOWS\system32\drivers\vmnetuserif.sys
05:51:59:775 1148 VMparport (f94040d3d27b56a46d559fd78a3e4084) C:\WINDOWS\system32\Drivers\VMparport.sys
05:52:00:346 1148 vmusb (25017db6451b002158db425961a82b7b) C:\WINDOWS\system32\Drivers\vmusb.sys
05:52:01:297 1148 vmx86 (925faad003f782057f1e0eea0797900e) C:\WINDOWS\system32\Drivers\vmx86.sys
05:52:02:339 1148 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:52:02:589 1148 vstor2-ws60 (e4fa7aff5046fc49de22e903b7e35add) C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
05:52:03:590 1148 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:52:03:861 1148 wceusbsh (4a954a20a4c73d6db13c0fe25f3f1b0c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
05:52:04:392 1148 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:52:04:742 1148 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
05:52:04:872 1148 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
05:52:05:273 1148 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
05:52:05:573 1148 {95808DC4-FA4A-4C74-92FE-5B863F82066B} (560bf4bd85bf11608ee85d6cf87c02da) C:\Program Files\CyberLink\PowerDVD\000.fcl
05:52:06:144 1148
05:52:06:254 1148 Completed
05:52:06:254 1148
05:52:06:254 1148 Results:
05:52:06:264 1148 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
05:52:06:264 1148 File objects infected / cured / cured on reboot: 0 / 0 / 0
05:52:06:264 1148
05:52:06:284 1148 KLMD(ARK) unloaded successfully


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 06:50 AM

Looks TDSSKiller found nothing and we have to dig deeper.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: test.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click test.bat on the desktop.
  • A notepad opens, copy and paste the content it (log1.txt) to your reply.


#8 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 15 June 2010 - 09:47 AM

So this line from the TDDSKiller.exe log has no significance?

QUOTE
05:51:32:826 1148 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674


Here's the log file from running test.bat:

QUOTE
Windows IP Configuration



Host Name . . . . . . . . . . . . : blue-thunder

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : gateway.2wire.net



Ethernet adapter VMware Network Adapter VMnet8:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8

Physical Address. . . . . . . . . : 00-50-56-C0-00-08

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.239.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :



Ethernet adapter VMware Network Adapter VMnet1:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1

Physical Address. . . . . . . . . : 00-50-56-C0-00-01

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.233.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-0A-E6-79-ED-1D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.67

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Tuesday, June 15, 2010 9:19:31 AM

Lease Expires . . . . . . . . . . : Wednesday, June 16, 2010 9:19:31 AM

Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 209.85.225.105, 209.85.225.103, 209.85.225.147, 209.85.225.99
209.85.225.106, 209.85.225.104

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging google.com [209.85.225.106] with 32 bytes of data:



Reply from 209.85.225.106: bytes=32 time=60ms TTL=42

Reply from 209.85.225.106: bytes=32 time=60ms TTL=42



Ping statistics for 209.85.225.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 60ms, Maximum = 60ms, Average = 60ms



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=68ms TTL=47

Reply from 69.147.125.65: bytes=32 time=75ms TTL=47



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 68ms, Maximum = 75ms, Average = 71ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x4 ...00 0a e6 79 ed 1d ...... SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.67 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.67 192.168.1.67 20
192.168.1.67 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.67 192.168.1.67 20
192.168.233.0 255.255.255.0 192.168.233.1 192.168.233.1 20
192.168.233.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.233.255 255.255.255.255 192.168.233.1 192.168.233.1 20
192.168.239.0 255.255.255.0 192.168.239.1 192.168.239.1 20
192.168.239.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.239.255 255.255.255.255 192.168.239.1 192.168.239.1 20
224.0.0.0 240.0.0.0 192.168.1.67 192.168.1.67 20
224.0.0.0 240.0.0.0 192.168.233.1 192.168.233.1 20
224.0.0.0 240.0.0.0 192.168.239.1 192.168.239.1 20
255.255.255.255 255.255.255.255 192.168.1.67 192.168.1.67 1
255.255.255.255 255.255.255.255 192.168.233.1 192.168.233.1 1
255.255.255.255 255.255.255.255 192.168.239.1 192.168.239.1 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 10:07 AM

To answer your question about the log, the tool was supposed to find the infected driver and disinfect it as the name says.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 15 June 2010 - 10:07 AM.


#10 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 15 June 2010 - 11:36 AM

Here are the contents of ComboFix.txt:

QUOTE
ComboFix 10-06-14.03 - Gryphon 06/15/2010 11:09:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.481 [GMT -5:00]
Running from: c:\documents and settings\Gryphon.BLUE-THUNDER\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\inst.exe
c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}
c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}\chrome.manifest
c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}\chrome\content\_cfg.js
c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}\chrome\content\overlay.xul
c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\{2664CF80-3C6D-4EAC-BA02-95887A89DABE}\install.rdf
C:\HCT73D.tmp
C:\HCT73E.tmp
c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-07 03:22 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-07 03:17 . 2010-06-07 03:18 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 12:48 . 2010-06-03 12:48 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-03 10:56 . 2010-06-03 18:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-06-02 16:20 . 2010-06-02 16:18 77312 ----a-w- C:\mbr.exe
2010-06-02 13:28 . 2010-06-12 12:41 63488 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-01 07:59 . 2010-06-04 06:50 -------- d-----w- c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\Yahoo
2010-06-01 07:58 . 2010-06-01 07:59 -------- d-----w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Yahoo!
2010-06-01 07:57 . 2010-06-01 07:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-06-01 07:57 . 2010-04-20 21:45 607472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-05-31 02:25 . 2010-05-31 02:25 503808 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16852ca1-n\msvcp71.dll
2010-05-31 02:25 . 2010-05-31 02:25 499712 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16852ca1-n\jmc.dll
2010-05-31 02:25 . 2010-05-31 02:25 348160 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16852ca1-n\msvcr71.dll
2010-05-31 02:25 . 2010-05-31 02:25 61440 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77b27fa4-n\decora-sse.dll
2010-05-31 02:25 . 2010-05-31 02:25 12800 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-77b27fa4-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 15:57 . 2009-05-13 01:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\VMware
2010-06-15 15:57 . 2009-05-13 01:36 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\VMware
2010-06-15 15:56 . 2007-10-15 20:06 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2010-06-15 15:56 . 2007-10-15 20:06 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80651102}.dat
2010-06-15 15:39 . 2009-08-15 21:47 -------- d-----w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Skype
2010-06-15 14:23 . 2009-08-15 21:48 -------- d-----w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\skypePM
2010-06-12 12:40 . 2010-05-02 17:09 117760 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 10:16 . 2007-10-13 11:18 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-06 08:31 . 2006-05-08 05:34 -------- d-----w- c:\program files\Yahoo!
2010-05-12 02:24 . 2007-08-31 05:41 553914783 ----a-w- C:\DATA.zip
2010-05-09 21:09 . 2009-05-05 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 03:32 . 2010-05-07 03:32 -------- d-----w- c:\program files\HDDGURU LLF Tool
2010-05-06 02:02 . 2010-05-05 19:59 1080 ----a-w- c:\windows\AUTOLNCH.REG
2010-05-05 19:59 . 2010-05-05 19:59 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-05 19:59 . 2005-07-30 02:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 17:20 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-04-29 19:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 20:04 . 2005-07-30 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-02 17:09 . 2010-05-02 17:09 52224 ----a-w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-02 17:08 . 2010-05-02 17:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-05-02 17:08 . 2010-05-02 17:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-02 17:08 . 2010-05-02 17:08 -------- d-----w- c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\SUPERAntiSpyware.com
2010-05-02 17:07 . 2010-05-02 17:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-02 05:22 . 2002-08-29 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-05-05 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-05-05 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 18:17 . 2006-01-20 21:31 -------- d-----w- c:\program files\BitSpirit
2010-04-26 16:44 . 2010-04-26 16:44 -------- d-----w- c:\program files\Sophos
2010-04-24 02:32 . 2005-09-05 01:31 -------- d-----w- c:\program files\Common Files\Java
2010-04-24 02:31 . 2010-04-24 02:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 19:51 . 2008-06-22 19:00 -------- d-----w- c:\program files\palmOne
2008-06-05 01:31 . 2008-06-05 00:54 24 --sh--w- c:\windows\SEAB074A3.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-27 2020592]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"VOBRegCheck"="c:\windows\System32\VOBREGCheck.exe" [2003-01-08 153088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-03-27 96816]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-15 54832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\documents and settings\Gryphon.BLUE-THUNDER\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-24 576000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-10-15 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-3 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/15/2007 10:09 PM 5248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 10:05 PM 54960]
S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/15/2007 10:09 PM 160640]
S3 b5c4F;b5c4F;c:\windows\system32\b5c4F.sys [5/3/2009 10:56 PM 54624]
S3 flash;flash;\??\c:\download\Acer Extensa 4420 Drivers\Bios\BIOS_v1.18\flash.sys --> c:\download\Acer Extensa 4420 Drivers\Bios\BIOS_v1.18\flash.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\33.tmp --> c:\windows\system32\33.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-113007714-1343024091-1003Core.job
- c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-30 04:03]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-113007714-1343024091-1003UA.job
- c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-30 04:03]

2010-06-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-06-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Gryphon.BLUE-THUNDER\Application Data\Mozilla\Firefox\Profiles\953ulvw2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Gryphon.BLUE-THUNDER\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\windows\system32\Macromed\Flash\NPSWF32_new.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{082E2A9E-43D8-87ED-3807-CA4CF244EFFB} - Disabled
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-TMPGEnc DVD Author 1.6 - c:\programme\Pegasys Inc\TMPGEnc DVD Author 1.6\Uninstal.exe
AddRemove-TMPGEnc Sound Plug-in AC-3 - c:\program files\PEGASYS INC\TMPGENC SOUND PLAYER\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\33.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-15 11:30:55
ComboFix-quarantined-files.txt 2010-06-15 16:30

Pre-Run: 27,844,866,048 bytes free
Post-Run: 29,526,093,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - E549C752A7166B915C146A3FA7159AE9


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 01:22 PM

Are you still getting redirected? If yes in IE or Firefox or both?

#12 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 15 June 2010 - 01:56 PM

The Google and Yahoo redirects have stopped on both Firefox and Internet Explorer. thumbup.gif I'm hoping it's not too early to celebrate. unsure.gif

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 02:10 PM

Great. thumbup.gif

We give it a couple of hours. Reboot once and use the computer. Then tell me how the thins are. We sill remove the tools and round off after your post.


#14 Zhang Fei

Zhang Fei
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 15 June 2010 - 05:44 PM

No issues so far. thumbup2.gif

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:12 AM

Posted 15 June 2010 - 05:53 PM

Great. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. Also delete any tool or log we used from your computer.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing Zhang Fei. smile.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users