Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer runs slowly, yet anti-virus/malware finds nothing


  • This topic is locked This topic is locked
22 replies to this topic

#1 Laxbro1

Laxbro1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 11 July 2010 - 03:56 PM

First off, I would like to introduce myself on the forums here. I have came here many times in need of help, but hoped that my system would never perform poorly enough for me to make an account, and post for my own help. To start off, my computer as a whole is running at least 30% slower than what it was a week ago, yet malwarebytes finds nothing. When i scan with mcafee, it says that there could be a rootkit hiding on my system, so that always finds nothing. My problem is, I believe that this rootkit is redirecting about 50% of my google searches. I just have no idea how I can find and remove this rootkit.
I was looking through the boards and heard about hijackthis and decided to run that. Here is my log, any help is greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:55:08 PM, on 7/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medctr.ohio-state.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconf.osumc.edu/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [iefixes] c:\windows\regedit.exe /s c:\iefixes.reg
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [frfjvosl] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hemsuqegl\eawtswstssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [frfjvosl] C:\Documents and Settings\NetworkService\Local Settings\Application Data\hemsuqegl\eawtswstssd.exe (User 'Default user')
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0339EF40-3F8C-404E-8486-2635E981EA76} (SMS Screen Scraper) - http://nt1imsweb/ims/controls/ItkScr.cab
O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://osupcw-p01.osumc.edu/IDXICW/IDXM/idxssl.cab
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Sheridan ActiveTreeView Control) - http://symposium-web/Common/controls/ssTree.cab
O16 - DPF: {1D54E566-0FA7-48FC-87E1-C5C329FC6106} (mqImage.Bitmap) - http://abnweb-vp01/firstcomply/cabs/mqImage.cab
O16 - DPF: {208175F4-4360-4D53-9DFA-10D6696DB554} (IDXDocImg.DocImgViewer) - http://idxrad/idxradnet/Framework/Clientbi...ocImgViewer.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://citrix.osumc.edu/Citrix/MetaFrame/I...ca32/wficat.cab
O16 - DPF: {3C15B891-041C-46F9-8F36-65FE67D8E502} (Command Class) - http://nt1dashweb-p2/dsh/prod/html/DSHSHELLER.CAB
O16 - DPF: {51BBD385-9171-4E65-80D6-45639286C0DB} (mqSigPlusAdjust.IniConfigurator) - http://abnweb-vp01/firstcomply/cabs/mqSigPlusAdjust.cab
O16 - DPF: {575AC44B-C254-48B4-8102-20F29D72A60E} (DshSetForegroundWin Class) - http://nt1dashweb-p2/dsh/prod/html/SMSDSHSETFOREGROUND.CAB
O16 - DPF: {5929AFC0-A272-40BF-AEF1-038521950846} (Sheller Class) - http://nt1dashweb-p2/dsh/prod/html/SMSDSHSHELLER2.CAB
O16 - DPF: {631AEBE6-B369-4C13-86A2-358A50F8F29F} (IDXDocImgSoapClient.DocImgSoapClient) - http://idxrad/idxradnet/Framework/Clientbi...ocImgClient.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231446931613
O16 - DPF: {693F0F29-1D1F-4EDF-B5A8-E8852FF195DE} (SEAGULL J Walk Printer Client) - http://cts01/jwalk/jwalk_printerclient_ie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231446921118
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://rxtfcremote1/tsweb/msrdp.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://symposium-web/Common/controls/iemenu.cab
O16 - DPF: {7B78803F-EC97-4108-A8DD-415743C596FF} (PrintClass Class) - https://osu.elaborders.com/lwwebapps/classe...rintControl.cab
O16 - DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} (WebRTFProj.WebRTF) - http://webesa-vp01.medctr.ohio-state.edu/esaweb/WebRTF.CAB
O16 - DPF: {820FC8CB-B4C0-4901-9116-5CE9B08C2870} (Avocent Session Viewer) - https://avocent-vp01/dsview/applets/avctvid...iewer-win32.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - https://erwebdev.erp.ohio-state.edu:1480/co....Insight.en.cab
O16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://osupcw-p01.osumc.edu/IDXICW/IDXM/FlowcastLDAP.cab
O16 - DPF: {977DBE03-F527-11D3-8F03-00C04FA3EB91} (RtdControl Class) - http://symposium-web/Common/Controls/RtdCtrl.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - http://osupcw-p01.osumc.edu/IDXWeb/IDXWF/C...xt/IDXTools.cab
O16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://osupcw-p01.osumc.edu/IDXICW/IDXM/icw.CAB
O16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://osupcw-p01.osumc.edu/IDXICW/IDXM/idxcsvr.cab
O16 - DPF: {C38D196D-1E2D-446E-8A6C-9A49B09DC294} (mqSigPlus.Configuration) - http://abnweb-vp01/firstcomply/cabs/mqSigPlus.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://osumc-0362.nt3osumc.medctr.ohio-sta...iator/jinit.exe
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://osucea/amI/install/amiviewer.cab
O16 - DPF: {E3B24025-754B-11D2-8613-006008142B7B} (SMS ITK Viewer Control) - http://nt1imsweb/ims/controls/ItkVwr.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - http://osupcw-p01.osumc.edu/IDXWeb/IDXWF/C.../IDXBrowser.cab
O16 - DPF: {EF3D42E2-8BB3-11D3-A415-00105A179C91} (IDXradRWebWord.WebWord) - http://idxrad/idxrad/ClientBin/IDXradRWebWord.CAB
O16 - DPF: {F88F142A-96AE-40CC-B562-4C91B5E5A5CD} (IkmControlDownloader Control) - http://imgapp-p01.osumc.edu/M0A6/HTML/down...lDownloader.cab
O16 - DPF: {FD0ECA0C-6403-48CB-91C0-6C73EF7771AA} (Download Class) - http://nt1dashweb-p2/dsh/prod/html/SMSDSHDOWNLOAD.CAB
O16 - DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} (Ter Control) - http://eresults-p1/NTATSMS-NTAT-HTM/webPrint.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 11662 bytes


I hope this helps.

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:43 PM

Posted 15 July 2010 - 04:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 15 July 2010 - 11:35 PM

I'm so sorry about the multiple posts. When I attempted to reply, firefox would notify me that the server connection was reset, and I did not know that they got posted. I am sorry for the annoyance that this caused.

Edited by Laxbro1, 15 July 2010 - 11:47 PM.


#4 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 15 July 2010 - 11:36 PM

I'm so sorry about the multiple posts. When I attempted to reply, firefox would notify me that the server connection was reset, and I did not know that they got posted. I am sorry for the annoyance that this caused.

Edited by Laxbro1, 15 July 2010 - 11:40 PM.


#5 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 15 July 2010 - 11:38 PM

I'm so sorry about the multiple posts. When I attempted to reply, firefox would notify me that the server connection was reset, and I did not know that they got posted. I am sorry for the annoyance that this caused.

Edited by Laxbro1, 15 July 2010 - 11:41 PM.


#6 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 15 July 2010 - 11:46 PM


I'm so sorry about the multiple posts. When I attempted to reply, firefox would notify me that the server connection was reset, and I did not know that they got posted. I am sorry for the annoyance that this caused.

Attached Files


Edited by Laxbro1, 16 July 2010 - 12:11 AM.


#7 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 16 July 2010 - 12:10 AM

No worries about the wait. I hope it's well worth it.
First off, I have been staying off the computer lately because I've been busy. The symptoms that my computer is having is that it is running slowly, which by that I mean that the startup time for both apps and also the computer itself has been significantlly increased. Many of my google searches are getting redirected to random websites. I have my GMER and dds files here, and if a another hijackthis scan is required, I will be happy to include that also.


DDS Files-



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 1:01:22.04 on Fri 07/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.510 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\administrator\My Documents\Downloads\gmer\gmer.exe
C:\Documents and Settings\administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.medctr.ohio-state.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [iefixes] c:\windows\regedit.exe /s c:\iefixes.reg
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [frfjvosl] c:\documents and settings\networkservice\local settings\application data\hemsuqegl\eawtswstssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0339EF40-3F8C-404E-8486-2635E981EA76}

No worries about the wait. I hope it's well worth it.
First off, I have been staying off the computer lately because I've been busy. The symptoms that my computer is having is that it is running slowly, which by that I mean that the startup time for both apps and also the computer itself has been significantlly increased. Many of my google searches are getting redirected to random websites. I have my GMER and dds files here, and if a another hijackthis scan is required, I will be happy to include that also.


DDS Files-



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 1:01:22.04 on Fri 07/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.510 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\administrator\My Documents\Downloads\gmer\gmer.exe
C:\Documents and Settings\administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.medctr.ohio-state.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [iefixes] c:\windows\regedit.exe /s c:\iefixes.reg
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [frfjvosl] c:\documents and settings\networkservice\local settings\application data\hemsuqegl\eawtswstssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0339EF40-3F8C-404E-8486-2635E981EA76}

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 17 July 2010 - 06:39 AM

Hello, Laxbro1.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

This virus appears to have cut off yoru DDS log and corrupted the ZIP file! It happens...also the multiple posts are often related. I've seen enough for now, though. Let's run Combofix.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 18 July 2010 - 05:14 PM

Hello, and thanks for the reply.

I have downloaded, ran and downloaded the recovery system from combofix.

However, when I scan with it, always around 2 minutes into the scan my computer crashes, and that is what I'm suck on.

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 18 July 2010 - 05:20 PM

Do you get an error message? Try running CF from Safe Mode. Did that work?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 18 July 2010 - 09:00 PM

Just ran it.

When I tried it in safe mode, about 5 minutes in it said combofix has detected rootkit activity and needs to reboot.

After it restarted my computer it went into normal mode, in which it scanned immediately and did not allow me to disable my mcafee, but at least it scanned the whole machine without problems.

Lastly, here is the log-

ComboFix 10-07-16.02 - Administrator 07/18/2010 21:33:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.652 [GMT -4:00]
Running from: c:\documents and settings\administrator\My Documents\Downloads\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\BackUp
c:\windows\BackUp\3M HIS\32-Bit Interface Test Program.lnk
c:\windows\BackUp\3M HIS\C-Edit Help.lnk
c:\windows\BackUp\3M HIS\Coding and Reimbursement System.lnk
c:\windows\BackUp\3M HIS\Coding Products Help.lnk
c:\windows\BackUp\3M HIS\Coding Reference.lnk
c:\windows\BackUp\3M HIS\Debug32 Display.lnk
c:\windows\BackUp\3M HIS\Tags.txt Editor.lnk
c:\windows\BackUp\msxml4-KB927978-enu.log
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-12 02:04 . 2010-07-12 02:04 -------- d-----w- c:\program files\iPod
2010-07-12 01:52 . 2010-07-12 01:53 -------- d-----w- c:\program files\Bonjour
2010-07-12 01:50 . 2010-07-12 01:50 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-12 01:47 . 2010-07-12 01:47 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-07-11 20:54 . 2010-07-11 20:54 388096 ----a-r- c:\documents and settings\administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-11 20:30 . 2010-07-11 20:53 -------- d-----w- c:\program files\Trend Micro
2010-07-04 05:20 . 2010-07-04 05:20 -------- d-----w- c:\windows\system32\scripting
2010-07-04 05:20 . 2010-07-04 05:20 -------- d-----w- c:\windows\system32\en
2010-07-04 05:20 . 2010-07-04 05:20 -------- d-----w- c:\windows\l2schemas
2010-07-04 04:48 . 2010-07-04 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\hemsuqegl
2010-07-04 04:47 . 2010-07-04 04:47 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-04 04:47 . 2010-07-04 04:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-01 03:54 . 2010-07-01 03:54 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\dhxiahbdb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 21:35 . 2010-04-23 02:15 50 ----a-w- c:\documents and settings\administrator\jagex__preferences3.dat
2010-07-18 21:35 . 2010-04-23 02:13 46 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2010-07-18 21:32 . 2010-04-23 02:15 99 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2010-07-13 04:17 . 2010-06-10 13:56 63488 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-13 04:17 . 2010-06-10 13:55 117760 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-12 02:07 . 2010-04-15 21:07 -------- d-----w- c:\program files\iTunes
2010-07-12 02:03 . 2010-04-15 21:02 -------- d-----w- c:\program files\Common Files\Apple
2010-07-12 01:49 . 2010-04-15 23:29 -------- d-----w- c:\program files\Safari
2010-07-04 06:12 . 2010-06-10 13:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-04 05:25 . 2004-08-11 18:08 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-07-04 04:47 . 2004-09-07 14:45 2956 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-10 13:56 . 2010-06-10 13:56 52224 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-10 13:55 . 2010-06-10 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-10 13:55 . 2010-06-10 13:55 -------- d-----w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com
2010-05-25 17:16 . 2010-04-16 12:34 55172 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-04-15 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-15 18:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 00:32 . 2010-04-24 14:51 608256 ----a-w- c:\documents and settings\All Users\Application Data\Apple\Installer Cache\AppleApplicationSupport 1.2.1\blackra1n.exe
2010-04-23 02:04 . 2010-04-23 02:04 503808 ----a-w- c:\documents and settings\administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54e56454-n\msvcp71.dll
2010-04-23 02:04 . 2010-04-23 02:04 499712 ----a-w- c:\documents and settings\administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54e56454-n\jmc.dll
2010-04-23 02:04 . 2010-04-23 02:04 348160 ----a-w- c:\documents and settings\administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54e56454-n\msvcr71.dll
2010-04-23 02:04 . 2010-04-23 02:04 61440 ----a-w- c:\documents and settings\administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-43f87a22-n\decora-sse.dll
2010-04-23 02:04 . 2010-04-23 02:04 12800 ----a-w- c:\documents and settings\administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-43f87a22-n\decora-d3d.dll
2010-04-23 02:03 . 2010-04-23 02:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30 . 2001-08-23 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iefixes"="c:\windows\regedit.exe" [2008-04-14 146432]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-02 200704]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-31 143360]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2010-07-19 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2010-4-15 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [7/22/2008 12:50 PM 17968]
R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [7/21/2008 10:31 AM 192256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [4/15/2010 1:56 PM 66048]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [9/7/2004 2:47 PM 18144]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [8/11/2004 9:34 AM 3072]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [8/11/2004 9:34 AM 72832]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [9/7/2004 2:47 PM 18048]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [4/15/2010 1:56 PM 112384]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [4/15/2010 1:56 PM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.medctr.ohio-state.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0339EF40-3F8C-404E-8486-2635E981EA76} - hxxp://nt1imsweb/ims/controls/ItkScr.cab
DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} - hxxp://osupcw-p01.osumc.edu/IDXICW/IDXM/idxssl.cab
DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} - hxxp://symposium-web/Common/controls/ssTree.cab
DPF: {1D54E566-0FA7-48FC-87E1-C5C329FC6106} - hxxp://abnweb-vp01/firstcomply/cabs/mqImage.cab
DPF: {208175F4-4360-4D53-9DFA-10D6696DB554} - hxxp://idxrad/idxradnet/Framework/Clientbin/IDXDocImgViewer.CAB
DPF: {3C15B891-041C-46F9-8F36-65FE67D8E502} - hxxp://nt1dashweb-p2/dsh/prod/html/DSHSHELLER.CAB
DPF: {51BBD385-9171-4E65-80D6-45639286C0DB} - hxxp://abnweb-vp01/firstcomply/cabs/mqSigPlusAdjust.cab
DPF: {575AC44B-C254-48B4-8102-20F29D72A60E} - hxxp://nt1dashweb-p2/dsh/prod/html/SMSDSHSETFOREGROUND.CAB
DPF: {5929AFC0-A272-40BF-AEF1-038521950846} - hxxp://nt1dashweb-p2/dsh/prod/html/SMSDSHSHELLER2.CAB
DPF: {631AEBE6-B369-4C13-86A2-358A50F8F29F} - hxxp://idxrad/idxradnet/Framework/Clientbin/IDXDocImgClient.CAB
DPF: {693F0F29-1D1F-4EDF-B5A8-E8852FF195DE} - hxxp://cts01/jwalk/jwalk_printerclient_ie.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://symposium-web/Common/controls/iemenu.cab
DPF: {7B78803F-EC97-4108-A8DD-415743C596FF} - hxxps://osu.elaborders.com/lwwebapps/classes/APrintControl.cab
DPF: {80DC1772-21EF-11D4-B9DE-0008C7CB5F59} - hxxp://webesa-vp01.medctr.ohio-state.edu/esaweb/WebRTF.CAB
DPF: {820FC8CB-B4C0-4901-9116-5CE9B08C2870} - hxxps://avocent-vp01/dsview/applets/avctvideoviewer-win32.cab
DPF: {8C28EFD7-767B-11D1-8400-000000000000} - hxxps://erwebdev.erp.ohio-state.edu:1480/components/Brio.Insight.en.cab
DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} - hxxp://osupcw-p01.osumc.edu/IDXICW/IDXM/FlowcastLDAP.cab
DPF: {977DBE03-F527-11D3-8F03-00C04FA3EB91} - hxxp://symposium-web/Common/Controls/RtdCtrl.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxp://osupcw-p01.osumc.edu/IDXWeb/IDXWF/Context/IDXTools.cab
DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} - hxxp://osupcw-p01.osumc.edu/IDXICW/IDXM/icw.CAB
DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} - hxxp://osupcw-p01.osumc.edu/IDXICW/IDXM/idxcsvr.cab
DPF: {C38D196D-1E2D-446E-8A6C-9A49B09DC294} - hxxp://abnweb-vp01/firstcomply/cabs/mqSigPlus.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://osumc-0362.nt3osumc.medctr.ohio-state.edu:7778/jinitiator/jinit.exe
DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} - hxxp://osucea/amI/install/amiviewer.cab
DPF: {E3B24025-754B-11D2-8613-006008142B7B} - hxxp://nt1imsweb/ims/controls/ItkVwr.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxp://osupcw-p01.osumc.edu/IDXWeb/IDXWF/Context/IDXBrowser.cab
DPF: {EF3D42E2-8BB3-11D3-A415-00105A179C91} - hxxp://idxrad/idxrad/ClientBin/IDXradRWebWord.CAB
DPF: {F88F142A-96AE-40CC-B562-4C91B5E5A5CD} - hxxp://imgapp-p01.osumc.edu/M0A6/HTML/download/IkmControlDownloader.cab
DPF: {FD0ECA0C-6403-48CB-91C0-6C73EF7771AA} - hxxp://nt1dashweb-p2/dsh/prod/html/SMSDSHDOWNLOAD.CAB
DPF: {FFA315A3-20D3-11CF-8FDD-943611C10000} - hxxp://eresults-p1/NTATSMS-NTAT-HTM/webPrint.cab
FF - ProfilePath - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\50dgk0up.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{B4870B70-F390-11d2-9FB9-F4ED725EA20D} - \\medctr2\sys\public\NalExpEx.dll
AddRemove-CSN - c:\program files\SoftMed\CSN\Uninst.isu
AddRemove-IntelliReach IntelliClient for GroupWise - c:\docume~1\ALLUSE~1\APPLIC~1\Advansys\Formativ\1.0\INSTAL~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 21:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872F3EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7873f28
\Driver\ACPI -> ACPI.sys @ 0xf77e6cb8
\Driver\atapi -> atapi.sys @ 0xf7681852
\Driver\iaStor -> iaStor.sys @ 0xf76d04fc
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
SecurityProcedure -> ntoskrnl.exe @ 0x8059b445
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
SecurityProcedure -> ntoskrnl.exe @ 0x8059b445
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1105904442-2878155851-904439959-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,8e,f7,48,15,00,61,4d,a3,31,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,8e,f7,48,15,00,61,4d,a3,31,f1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-18 21:54:45
ComboFix-quarantined-files.txt 2010-07-19 01:54

Pre-Run: 9,687,314,432 bytes free
Post-Run: 10,006,069,248 bytes free

- - End Of File - - 9DD3ACDDEFC4ED4EAFBC9BDBD5D9B6FB


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 19 July 2010 - 07:17 PM

Hello, Laxbro1.
OK...you referenced a GMER log before, but it wasn't attached. You do have a rootkit, but we need to identify which driver is infected to repair it. Can you please post hte GMER log from before? Also, please note that this is a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 19 July 2010 - 07:17 PM

Hello, Laxbro1.
OK...you referenced a GMER log before, but it wasn't attached. You do have a rootkit, but we need to identify which driver is infected to repair it. Can you please post hte GMER log from before? Also, please note that this is a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 Laxbro1

Laxbro1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 19 July 2010 - 08:35 PM

Thanks for the help.

I do not do anything important on this machine, and my dad can easily reimage it, however, moving everything back is just a burden, so i thought I would try this before.

Anyways, here is the GMER.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-16 01:09:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwClose [0xEC5F39A0]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwCreateKey [0xEC5F32A0]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwDeleteKey [0xEC5F3A62]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwDeleteValueKey [0xEC5F3CB2]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwDuplicateObject [0xEC5F48B8]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwEnumerateKey [0xEC5F40D0]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwEnumerateValueKey [0xEC5F448C]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwFlushKey [0xEC5F3A3A]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwLoadKey [0xEC5F474A]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwOpenKey [0xEC5F2EFE]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwQueryKey [0xEC5F41DE]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwQueryValueKey [0xEC5F45CE]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwRenameKey [0xEC5F4948]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwSetValueKey [0xEC5F3F08]
SSDT \??\c:\WINDOWS\system32\drivers\fslx.sys (FSL System Driver/Altiris, Inc.) ZwUnloadKey [0xEC5F47CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB7FE21A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB7FE21D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7FE21FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB7FE21BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7FE2193]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7FE2211]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7FE21E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP B7FE21E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP B7FE21AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP B7FE21BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP B7FE2215 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP B7FE21FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP B7FE2197 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP B7FE21D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6CDEF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F81
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F92
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0F55
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD00A7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F0E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F1F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0EFD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD0F70
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD0F3A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F9B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FC0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0F9A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0FAB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FC6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006B0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006B0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006B0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[196] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02960000
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02960075
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02960064
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02960049
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02960F8A
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0296002C
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02960F59
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029600A1
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02960F23
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029600BC
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02960F08
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02960FA5
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02960011
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02960086
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02960FC0
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02960FD1
.text C:\WINDOWS\system32\wuauclt.exe[280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02960F48
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02940038
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!system 77C293C7 5 Bytes JMP 02940FAD
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0294000C
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02940FEF
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02940027
.text C:\WINDOWS\system32\wuauclt.exe[280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02940FD2
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02950039
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02950FBC
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02950FDE
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02950014
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02950FCD
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02950FEF
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0295006F
.text C:\WINDOWS\system32\wuauclt.exe[280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02950054
.text C:\WINDOWS\system32\wuauclt.exe[280] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02920FEF
.text C:\WINDOWS\system32\wuauclt.exe[280] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0292000A
.text C:\WINDOWS\system32\wuauclt.exe[280] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02920025
.text C:\WINDOWS\system32\wuauclt.exe[280] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02920036
.text C:\WINDOWS\system32\wuauclt.exe[280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02930FEF
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F6D
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10062
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10051
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10040
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FA8
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F35
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D1007D
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10EF5
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F10
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100B3
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1002F
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1000A
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F5C
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\System32\svchost.exe[636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D1008E
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D0002C
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00F94
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FDB
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D0001B
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00051
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00FAF
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 88]
.text C:\WINDOWS\System32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FC0
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FA8
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0029
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF000C
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\System32\svchost.exe[636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[636] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\System32\svchost.exe[636] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\System32\svchost.exe[636] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0014
.text C:\WINDOWS\System32\svchost.exe[636] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012E0000
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012E00AB
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012E0FB6
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012E009A
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012E007D
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012E0FE5
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012E0F91
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012E00CD
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012E00EA
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012E0F51
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012E00FB
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012E006C
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012E0011
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012E00BC
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012E0047
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012E002C
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012E0F76
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FBC
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0022
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\services.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020F28
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F43
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0102001B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F5E
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020F83
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020EFC
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020044
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102008B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0102007A
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01020ECD
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01020FCA
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020F0D
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020069
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010F83
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FC3
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0101004A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010F9E
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0F9F
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB0
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FC1
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D20FC3
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D20FB2
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D700A1
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70086
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70069
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70FB6
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D7003D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F74
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D700BC
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D70F41
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F52
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D700F5
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F91
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FD1
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70F63
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D6007A
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60069
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60058
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D5003D
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FD7
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50FBC
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D30FC3
.text C:\WINDOWS\system32\svchost.exe[920] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD009A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD007F
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0058
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0F9B
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD002C
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00B7
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F6F
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F43
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F54
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0F28
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD003D
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD0F8A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0FC0
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00C8
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FAF
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F79
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DC001B
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0F9E
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0049
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FBE
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0038
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB001D
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F40FE5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F40F4D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F40F68
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F40F79
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F40036
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F40F94
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F40F26
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F4006E
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F40F01
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F4009A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02F400B5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02F4001B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02F40000
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02F4005D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02F40FAF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02F40FC0
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02F4007F
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F30FC0
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F30F8A
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F30FDB
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F3001B
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F30047
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F30000
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02F30036
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F30FAF
.text C:\WINDOWS\System32\svchost.exe[1040] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F20F9F
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F20FB0
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F20FC1
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F20FEF
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F20020
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F20FDE
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02F00FEF
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02F00FCA
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02F00000
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02F00011
.text C:\WINDOWS\System32\svchost.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F1000A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F61
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F7C
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F8D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A1007D
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F35
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100BD
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F24
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100CE
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10040
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1000A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F46
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10025
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10098
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F94
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A0002F
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00051
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00000
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A00040
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F003B
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FA6
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FD2
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FB7
.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F000C
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 009D0000
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 009D0FC0
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 009D0FA5
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C500AB
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C5009A
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50089
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50FC0
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50047
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500E8
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C500D7
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C5010A
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F7B
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F56
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50058
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50011
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C500C6
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50FDB
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C5002C
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C500F9
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FC3
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4006F
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FA8
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C4004A
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40039
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30038
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FB7
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3001D
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FC8
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0040
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0051
.text C:\WINDOWS\System32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0076
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB005B
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F83
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0036
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F3F
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F50
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F02
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F1D
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00B6
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0087
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0025
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F2E
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD004A
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0039
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F8D
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F7F
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0F9A
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FB5
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\System32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01880000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 018800A1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01880090
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0188007F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01880058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01880036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018800C8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01880F80
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01880F43
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01880F5E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01880F32
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01880047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01880FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01880F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0188001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01880FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01880F6F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013E003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013E0F80
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013E002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013E001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013E0F91
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013E000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013E0FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5E, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013E0FD1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013D003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 013D0FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013D0FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013D0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013D0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013D0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013C0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 013B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 013B0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 013B002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 013B0047
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013C0000
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013C0F4F
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013C004E
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013C003D
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013C0F80
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013C0FA5
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013C0F1C
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013C0F2D
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013C0090
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013C007F
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013C00AB
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013C002C
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013C0FDB
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013C0F3E
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013C0FCA
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013C001B
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013C0F01
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013B002C
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013B0F80
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013B001B
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013B0FEF
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013B0F91
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013B000A
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013B0FAC
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5B, 89]
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013B003D
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013A0042
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 013A001D
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013A0FD2
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013A0FEF
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013A0FB7
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013A000C
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0138000A
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01380025
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01380FEF
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01380FD4
.text C:\WINDOWS\Explorer.EXE[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0139000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3036] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3036] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 178

---- EOF - GMER 1.0.15 ----

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 AM

Posted 20 July 2010 - 07:37 PM

Hello, Laxbro1.

Hmmmm, it could be a false positive in Combofix. GMER isn't showing it. However, your system is acting strange so it's likely there. They can hide from GMER. Do you have any CD emulation software (Daemon Tools, Alcohol, etc.) installed?

Let's take a look with a more powerful tool.

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users