Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with Google search jumping


  • Please log in to reply
21 replies to this topic

#1 luvxg

luvxg

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 12 July 2010 - 03:41 PM

Problems with Google search engine jumping to unknown sites. Thanks for any help!!

Logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:14:39.87 on Mon 07/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.127 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sjiopycj] c:\documents and settings\networkservice\local settings\application data\qwlpucfjv\jupycoqtssd.exe
dRun: [sjiopycj] c:\documents and settings\networkservice\local settings\application data\qwlpucfjv\jupycoqtssd.exe
dRun: [Xrobuqavefogu] rundll32.exe "c:\windows\mscMPT.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-31 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-31 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-7 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-31 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-31 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2009-7-30 26958]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-31 34248]

=============== Created Last 30 ================

2010-07-12 20:13:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-09 12:50:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:08:01 0 d-----w- c:\program files\iPod
2010-06-23 17:00:27 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-06-11 22:53:58 95572 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 15:19:49.75 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-12 15:39:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwddapoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED79878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xED798821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED798738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED79874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED798835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED798861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED7988CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED7988B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED7987CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED7988FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED79880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED798710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED798724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED79879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED798937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED7988A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED79888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED79884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xED798923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xED79890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED798776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED798762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xED798877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED7987F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED7988E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED7987E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED7987B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP ED7987B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP ED798811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP ED798891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP ED79878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP ED798766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP ED798825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP ED79893B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP ED7988D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP ED798714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP ED7987A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP ED79887B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP ED7987E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP ED7987CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP ED798750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP ED7987FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP ED7988BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP ED798728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP ED7988FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP ED798865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP ED798839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP ED79873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP ED79877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP ED7988E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP ED7988A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP ED79884F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP ED798913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP ED798927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6942F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011C000C
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013E0F8D
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013E0082
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013E0F9E
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013E0051
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013E0FB9
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013E00A4
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013E0F5C
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013E0F0B
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013E0F1C
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013E00BF
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013E0040
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013E0093
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013E0FD4
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013E001B
.text C:\WINDOWS\system32\services.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013E0F41
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013D0FB9
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013D0F97
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013D000A
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013D0FD4
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013D004A
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013D0FE5
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 013D0039
.text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013D0FA8
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013C0FB2
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 013C003D
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013C0FD7
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013C0000
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013C002C
.text C:\WINDOWS\system32\services.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013C0011
.text C:\WINDOWS\system32\services.exe[748] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 013A0000
.text C:\WINDOWS\system32\services.exe[748] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 013A0011
.text C:\WINDOWS\system32\services.exe[748] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 013A002C
.text C:\WINDOWS\system32\services.exe[748] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 013A0047
.text C:\WINDOWS\system32\services.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013B000A
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F5F
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F7A
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50054
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F97
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50039
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D5009B
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50080
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F02
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F27
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50EE7
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50FB2
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5000A
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D5006F
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FCD
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F38
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0073
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0062
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CE0051
.text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FAD
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD002E
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD001D
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0FC8
.text C:\WINDOWS\system32\lsass.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FE3
.text C:\WINDOWS\system32\lsass.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\lsass.exe[760] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[760] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\lsass.exe[760] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CB0011
.text C:\WINDOWS\system32\lsass.exe[760] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CB0022
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F79
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F94
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD006E
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0FA5
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00C1
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD00A6
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F39
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD00DC
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0F28
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0051
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0025
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD0089
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD0F54
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0014
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0039
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0F86
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0F97
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0FA8
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0FAD
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FD2
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB002E
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB000C
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB001D
.text C:\WINDOWS\system32\svchost.exe[916] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[916] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[916] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[916] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D90FC0
.text C:\WINDOWS\system32\svchost.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F5C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F83
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F30
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F4B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40EE9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F04
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40ED8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40076
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F1F
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30F83
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2003A
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F2000C
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20029
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D70FE5
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D7006C
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D7005B
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D70F8D
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D70F9E
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D7001B
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D70F35
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D70087
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D700BD
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D700A2
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D70F09
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D70040
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D70FD4
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D70F5C
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D70FAF
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D70000
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D70F24
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D6003D
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D60F9B
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D6002C
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D6001B
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D60FB6
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D60000
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D60058
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D60FD1
.text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EF000A
.text C:\WINDOWS\System32\svchost.exe[1140] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026E0053
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 026E0042
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026E0FD2
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026E0FE3
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026E0027
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026E000C
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 026C0000
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 026C001B
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 026C002C
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 026C003D
.text C:\WINDOWS\System32\svchost.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 026D000A
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F0F0B
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F0F26
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F0F41
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0F5E
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F0F94
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0EF0
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F002C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F006E
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F005D
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F007F
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0F83
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F001B
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F0FA5
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0FC0
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F0EDF
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0FA8
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E0040
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FC3
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0FD4
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0F83
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008E002F
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0014
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D005D
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0042
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FE3
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D0FD2
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D0011
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 008C0FC0
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0F68
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0067
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F002F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0FA1
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F0093
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F0082
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F00C9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F0F30
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F00DA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F001E
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0F57
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FBC
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0FCD
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00AE
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0036
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E007D
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E0062
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009E0FC0
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BE, 88]
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0051
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0053
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D002E
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D000C
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D001D
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F44
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F55
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F7C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40039
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40F97
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F33
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C4006F
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40EF3
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F0E
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C400A7
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C4001E
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C4005E
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FA8
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C4008C
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30062
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30051
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2004C
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20031
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FC1
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20020
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0011
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F76
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F91
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0075
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0058
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA002C
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA009C
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F54
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F25
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00BE
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA00D9
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0F65
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA00AD
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0042
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FB7
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0027
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1644] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1644] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1644] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00B90FD1
.text C:\WINDOWS\system32\svchost.exe[1644] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00B90FB6
.text C:\WINDOWS\system32\svchost.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0093
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0076
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00C6
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00B5
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0110
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F6D
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0121
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00A4
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\svchost.exe[2164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00EB
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD004E
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0FA5
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
.text C:\WINDOWS\system32\svchost.exe[2164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FB6
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC005D
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC004C
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0FE3
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FD2
.text C:\WINDOWS\system32\svchost.exe[2164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\svchost.exe[2164] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[2164] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[2164] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[2164] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FB004A
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013F000A
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013F0071
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013F0F72
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013F0040
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013F0F83
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013F0FAF
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013F009D
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013F0F4B
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013F0F26
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013F00C9
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013F0F15
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013F0F9E
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013F0FEF
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013F0082
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013F001B
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013F0FCA
.text C:\WINDOWS\system32\svchost.exe[2312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013F00AE
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013E0FC0
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013E0F68
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013E001B
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013E000A
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013E0F8D
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013E0F9E
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5E, 89]
.text C:\WINDOWS\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013E0FAF
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013D0036
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!system 77C293C7 5 Bytes JMP 013D001B
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013D0FAB
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013D0FEF
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013D0000
.text C:\WINDOWS\system32\svchost.exe[2312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013D0FC6
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 013B0FE5
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 013B0FD4
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 013B0FC3
.text C:\WINDOWS\system32\svchost.exe[2312] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 013B0014
.text C:\WINDOWS\system32\svchost.exe[2312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013C0FEF
.text C:\WINDOWS\Explorer.EXE[3092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[3092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[3092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BA000C
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C002F
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F8D
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0040
.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0042
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D0031
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D0FD2
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0FC1
.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FE3
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5560] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 12 July 2010 - 09:26 PM

OK I followed this thread http://www.bleepingcomputer.com/forums/t/325154/google-searches-being-redirected-to-infomash-and-other-sites/ which was essentially the identical problem, and it seems to have been corrected, unless you can see something else.

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 17 July 2010 - 03:21 PM

Hello luvxg

Welcome to BleepingComputer smile.gif
==========================
Can you post an updated DDS.txt thank you.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 19 July 2010 - 10:37 AM

Thank you, here it is:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:33:47.96 on Mon 07/19/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.192 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe -k getPlusHelper
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRun: [sjiopycj] c:\documents and settings\networkservice\local settings\application data\qwlpucfjv\jupycoqtssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-31 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-31 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-7 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-31 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-31 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-31 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2009-7-30 26958]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-07-16 14:22:10 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-07-16 14:21:59 0 d-----w- c:\program files\McAfee Security Scan
2010-07-16 14:07:48 0 d-----w- c:\program files\KingsIsle Entertainment
2010-07-12 22:08:54 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-12 22:07:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 22:07:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 22:07:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 22:07:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 21:23:24 0 d-----w- c:\program files\Trend Micro
2010-07-12 20:13:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-09 12:50:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:08:01 0 d-----w- c:\program files\iPod
2010-06-23 17:00:27 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-07-17 01:21:45 95924 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-14 23:38:30 45432 ----a-w- c:\windows\fonts\BUBBLEGUMS.TTF
2010-07-14 23:34:24 20640 ----a-w- c:\windows\fonts\ICE_AGE.ttf
2010-07-13 01:40:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:35:25.45 ===============


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 19 July 2010 - 07:13 PM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 20 July 2010 - 02:53 PM

Here's the combofix log...

ComboFix 10-07-20.01 - Owner 07/20/2010 14:40:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.397 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-19 15:20 . 2010-07-19 15:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-07-16 14:22 . 2010-07-16 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-07-16 14:21 . 2010-07-19 15:19 -------- d-----w- c:\program files\McAfee Security Scan
2010-07-16 14:07 . 2010-07-16 14:07 -------- d-----w- c:\program files\KingsIsle Entertainment
2010-07-12 22:08 . 2010-07-12 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-12 22:07 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 22:07 . 2010-07-12 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-12 22:07 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 22:07 . 2010-07-12 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 21:23 . 2010-07-12 21:23 -------- d-----w- c:\program files\Trend Micro
2010-07-09 13:33 . 2010-07-09 13:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qwlpucfjv
2010-07-09 13:33 . 2010-07-09 13:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-09 12:50 . 2010-07-09 12:50 -------- d-----w- c:\program files\Common Files\Java
2010-07-09 12:50 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 18:36 . 2010-07-09 13:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-06 17:00 . 2010-07-06 17:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\lblmddtdt
2010-06-23 17:08 . 2010-06-23 17:08 -------- d-----w- c:\program files\iPod
2010-06-23 17:00 . 2010-06-23 17:00 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 01:21 . 2009-10-16 01:28 95924 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-16 14:08 . 2009-07-31 19:34 136272 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-16 14:07 . 2009-07-30 20:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-15 22:40 . 2009-08-01 00:16 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2010-07-15 22:36 . 2009-08-01 20:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-07-13 01:40 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-07-09 16:18 . 2009-08-01 15:17 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-07-09 12:50 . 2010-07-09 12:50 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5db91883-n\msvcp71.dll
2010-07-09 12:50 . 2010-07-09 12:50 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5db91883-n\jmc.dll
2010-07-09 12:50 . 2010-07-09 12:50 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5db91883-n\msvcr71.dll
2010-07-09 12:50 . 2010-07-09 12:50 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0525f2-n\decora-sse.dll
2010-07-09 12:50 . 2010-07-09 12:50 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0525f2-n\decora-d3d.dll
2010-07-09 12:50 . 2009-08-12 19:32 -------- d-----w- c:\program files\Java
2010-07-07 09:10 . 2009-08-06 19:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-03 01:28 . 2009-07-31 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-01 18:52 . 2010-07-07 21:22 1496064 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Profiles\53lx0tdx.Nic\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 18:51 . 2010-07-07 21:23 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Profiles\53lx0tdx.Nic\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 18:51 . 2010-07-07 21:23 338944 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Profiles\53lx0tdx.Nic\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 18:51 . 2010-07-07 21:23 346112 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Profiles\53lx0tdx.Nic\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-23 17:09 . 2010-05-05 21:28 -------- d-----w- c:\program files\iTunes
2010-06-23 17:07 . 2009-07-31 18:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-23 16:50 . 2010-06-23 16:50 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-17 11:43 . 2009-07-31 20:47 -------- d-----w- c:\program files\McAfee
2010-06-14 14:31 . 2009-07-30 18:30 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-05 16:39 . 2010-02-17 12:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 12:20 . 2009-08-11 17:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2010-05-29 16:27 . 2010-05-29 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-05-29 15:52 . 2010-05-29 15:49 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-29 15:51 . 2010-05-29 15:51 -------- d-----w- c:\program files\Microsoft
2010-05-29 15:51 . 2010-05-29 15:51 -------- d-----w- c:\program files\MSN Toolbar
2010-05-29 15:50 . 2010-05-29 15:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-05-29 15:50 . 2010-05-29 15:49 -------- d-----w- c:\program files\Musicnotes
2010-05-29 15:49 . 2010-05-29 15:49 394087 ----a-w- c:\documents and settings\Owner\Application Data\OpenCandy\AF635DF00D0D4640A6B4EC5DC62DBB67\DBC_WrappedBING.exe
2010-05-29 15:49 . 2010-05-29 15:49 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenCandy
2010-05-29 15:49 . 2010-05-29 15:49 257257 ----a-w- c:\documents and settings\Owner\Application Data\OpenCandy\OpenCandy_AF635DF00D0D4640A6B4EC5DC62DBB67\BINGDlmgr3.exe
2010-05-26 15:56 . 2009-08-01 15:53 -------- d-----w- c:\documents and settings\Owner\Application Data\DeepBurner
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-07-02 2347216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-31 122368]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2009 4:04 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/7/2009 2:33 PM 24652]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 6:46 PM 135664]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [7/30/2009 2:40 PM 26958]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCCOMPONENTHOSTSERVICE
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:46]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:46]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-31 17:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-31 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-20 14:50:43
ComboFix-quarantined-files.txt 2010-07-20 19:50

Pre-Run: 70,280,228,864 bytes free
Post-Run: 71,297,368,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 45B436A349A416786C0E522CEE8F8060


#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 20 July 2010 - 05:35 PM

I will need you to show hidden Files \Folders.
To do this:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK

After that using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete these folders listed below:
c:\documents and settings\NetworkService\Local Settings\Application Data\qwlpucfjv
c:\documents and settings\Owner\Local Settings\Application Data\lblmddtdt

Now close Windows Explorer.

Now reset your Hidden files\folders to hidden.
  • To reset:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
=========================
Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 20 July 2010 - 10:05 PM

Here's the first log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4333

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/20/2010 10:01:40 PM
mbam-log-2010-07-20 (22-01-40).txt

Scan type: Quick scan
Objects scanned: 128059
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 21 July 2010 - 06:11 AM

Great post the Eset log when you can please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 July 2010 - 07:04 AM

and the last one
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=697b172263289549b7c047cf8ffa0d9a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-21 05:59:17
# local_time=2010-07-21 12:59:17 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 625909 625909 0 0
# compatibility_mode=5121 16776533 100 96 8650541 31687237 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=235368
# found=0
# cleaned=0
# scan_time=9847


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 21 July 2010 - 07:38 AM

Great how are things running?
Please run DDS once more and post only the dds.txt that opens.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 July 2010 - 08:36 AM

Thank you - it is running better than it has in a long time.

DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 8:34:46.51 on Wed 07/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.286 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-31 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-31 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-7 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-31 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-31 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2009-7-30 26958]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-31 34248]

=============== Created Last 30 ================

2010-07-21 03:06:10 0 d-----w- c:\program files\ESET
2010-07-20 19:39:08 0 d-sha-r- C:\cmdcons
2010-07-20 19:33:15 98816 ----a-w- c:\windows\sed.exe
2010-07-20 19:33:15 77312 ----a-w- c:\windows\MBR.exe
2010-07-20 19:33:15 256512 ----a-w- c:\windows\PEV.exe
2010-07-20 19:33:15 161792 ----a-w- c:\windows\SWREG.exe
2010-07-16 14:22:10 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-07-16 14:21:59 0 d-----w- c:\program files\McAfee Security Scan
2010-07-16 14:07:48 0 d-----w- c:\program files\KingsIsle Entertainment
2010-07-12 22:08:54 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-12 22:07:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 22:07:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 22:07:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 22:07:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 21:23:24 0 d-----w- c:\program files\Trend Micro
2010-07-12 20:13:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-09 12:50:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:08:01 0 d-----w- c:\program files\iPod
2010-06-23 17:00:27 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-07-17 01:21:45 95924 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-14 23:38:30 45432 ----a-w- c:\windows\fonts\BUBBLEGUMS.TTF
2010-07-14 23:34:24 20640 ----a-w- c:\windows\fonts\ICE_AGE.ttf
2010-07-13 01:40:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 8:35:33.29 ===============


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 21 July 2010 - 11:50 AM

Great please uninstall these 2 programs:
adobereader 8.0
and
acrobat 7.0

These contain vulnerabilities that can lead to reinfection.
You can get the newest version of Adobe reader from here > http://get.adobe.com/reader/

Don't forget to uncheck where the optional toolbar wants to install.
=======Cleanup
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.


Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 luvxg

luvxg
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 21 July 2010 - 12:44 PM

Great!! thanks for all your help.

I'm going to start another thread for my laptop.

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:10 AM

Posted 21 July 2010 - 12:49 PM

If you want I can help you in this thread.

If you want to continue with this thread then please do the following on your laptop.
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Edited by kahdah, 21 July 2010 - 12:50 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users