Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure What Kind, Sites Redirect Computers Slow


  • This topic is locked This topic is locked
3 replies to this topic

#1 keenanr7

keenanr7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 30 July 2010 - 12:54 AM

I'm not sure what program is the best to use for the log, but I used hijack this. any other suggestions?
here's my log thank you for any responses and advice!


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:47:38 PM, on 7/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Documents and Settings\geo\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=45724
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100720151657.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6763 bytes

DDS (Ver_10-03-17.01) - NTFSx86
Run by geo at 0:48:59.17 on Fri 07/30/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.109 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\geo\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Documents and Settings\geo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100720151657.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\geo\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geo\applic~1\mozilla\firefox\profiles\kmsx0ku0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2010-7-2 3456]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-4 82952]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-4 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-4 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-4 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-4 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-4 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-4 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-4 141792]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-4 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-4 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-4 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-4 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-4 88480]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-4 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-4 83496]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-4 271480]

=============== Created Last 30 ================

2010-07-30 06:11:49 0 d-s---w- C:\ComboFix
2010-07-29 23:23:31 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-29 23:23:30 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-29 23:23:27 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-29 23:23:26 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-07-29 23:23:25 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-07-29 23:23:23 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-07-29 23:23:16 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-07-29 23:23:16 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-07-29 23:23:04 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-29 05:31:12 0 d-----w- c:\docume~1\geo\applic~1\Malwarebytes
2010-07-29 05:30:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 05:30:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 05:30:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 05:30:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 09:05:32 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-07-24 09:11:33 0 d-----w- c:\windows\system32\XPSViewer
2010-07-24 09:10:13 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-24 09:10:12 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-24 09:10:11 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-24 09:10:10 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-24 09:10:10 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-24 09:10:09 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-24 09:10:09 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-24 09:10:08 0 d-----w- C:\5fcce6bc83fb9014a58f11b6597fd2f2
2010-07-21 14:58:21 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-21 14:58:21 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-21 14:58:21 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-21 09:20:27 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-07-21 09:20:27 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-07-21 09:20:22 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-07-21 09:18:37 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-21 09:18:27 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-07-21 09:17:53 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-07-21 09:17:38 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-07-21 09:16:57 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-07-21 09:15:38 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-21 09:15:19 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-07-21 09:14:44 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-21 09:03:52 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-07-21 09:03:43 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-07-21 09:03:39 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-07-21 09:03:22 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-21 09:03:21 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-07-21 09:03:20 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-07-21 09:03:12 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-07-21 09:00:28 0 d-----w- c:\windows\system32\PreInstall
2010-07-21 09:00:25 0 d--h--w- c:\windows\$hf_mig$
2010-07-20 18:52:47 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-20 07:57:50 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-20 04:14:28 0 d-----w- c:\docume~1\alluse~1\applic~1\VirtualizedApplications
2010-07-20 02:03:31 0 d-----w- c:\docume~1\geo\applic~1\SoftGrid Client
2010-07-20 01:59:25 0 d-----w- c:\program files\Microsoft Application Virtualization Client
2010-07-20 01:59:25 0 d-----w- c:\documents and settings\all users\Microsoft
2010-07-20 01:56:35 0 d-----w- c:\docume~1\geo\applic~1\TP
2010-07-13 22:25:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-08 20:55:44 0 d-----w- c:\program files\Microsoft Security Essentials
2010-07-08 20:48:04 0 d-----w- C:\c9467ce70cefbe219a73
2010-07-07 06:42:49 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-07-07 06:42:44 0 d-----w- c:\program files\McAfee Security Scan
2010-07-07 06:20:15 0 d-----w- c:\windows\system32\LogFiles
2010-07-06 07:45:47 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-07-06 07:45:47 57752 ------w- c:\windows\system32\rpcnet.exe
2010-07-06 07:43:46 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-05 17:03:58 0 d-----w- c:\program files\common files\Adobe Systems Shared
2010-07-05 04:56:57 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-07-05 04:56:57 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-07-05 04:56:57 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-07-05 04:56:57 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-07-05 04:56:56 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-07-05 04:56:56 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-07-05 04:56:56 129536 -c--a-w- c:\windows\system32\dllcache\ksproxy.ax
2010-07-05 04:56:56 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-07-05 04:56:51 117248 ----a-w- c:\windows\system32\staco.dll
2010-07-05 04:56:48 1171464 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-07-05 04:56:47 225280 ----a-w- c:\windows\system32\stacapi.dll
2010-07-05 04:56:47 0 d-----w- c:\program files\SigmaTel
2010-07-05 04:42:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 02:16:45 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-07-05 02:16:39 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-07-05 02:16:39 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-05 02:16:39 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-07-05 02:16:39 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-07-05 02:16:39 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-05 02:16:39 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-07-05 02:16:39 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-05 02:16:23 0 d-----w- c:\program files\common files\Mcafee
2010-07-05 02:16:19 0 d-----w- c:\program files\McAfee.com
2010-07-05 02:15:54 0 d-----w- c:\program files\McAfee
2010-07-05 01:07:38 44544 ----a-w- c:\windows\system32\agremove.exe
2010-07-05 00:51:27 0 d-----w- C:\spoolerlogs
2010-07-05 00:31:15 8192 -c----w- c:\windows\system32\dllcache\asferror.dll
2010-07-05 00:29:20 0 d-----w- c:\windows\network diagnostic
2010-07-05 00:29:18 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2010-07-05 00:29:17 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-07-05 00:28:03 19569 ----a-w- c:\windows\004905_.tmp
2010-07-03 00:06:36 120 ----a-w- c:\documents and settings\geo\a.bat
2010-07-03 00:06:03 94208 ----a-w- c:\documents and settings\geo\msnmsgr.exe
2010-07-02 23:59:32 0 d-----w- c:\windows\system32\wbem\AutoRecover
2010-07-02 23:53:12 316640 ----a-w- c:\windows\WMSysPr9.prx
2010-07-02 23:50:37 0 d-----w- c:\windows\ServicePackFiles
2010-07-02 23:48:18 2897920 ------w- c:\windows\system32\xpsp2res.dll
2010-07-02 23:47:08 19528 ----a-w- c:\windows\002135_.tmp
2010-07-02 23:47:02 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-07-02 23:45:10 0 d-----w- c:\windows\EHome
2010-07-02 22:07:15 0 d-sh--w- c:\documents and settings\geo\UserData
2010-07-02 21:53:31 0 d-----w- c:\program files\IrfanView
2010-07-02 21:50:15 0 d-----w- c:\program files\GPLGS
2010-07-02 21:49:47 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-07-02 21:49:43 0 d-----w- c:\program files\Acro Software
2010-07-02 21:46:26 3456 ----a-w- c:\windows\system32\drivers\atiide.sys
2010-07-02 21:31:34 0 d-----w- c:\windows\system32\Dell
2010-07-02 20:44:48 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-07-02 20:44:44 0 d-----w- c:\program files\Broadcom
2010-07-02 20:43:44 0 d-----w- c:\windows\system32\ReinstallBackups
2010-07-02 20:43:42 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-07-02 20:43:41 0 d-----w- c:\program files\AMD
2010-07-02 20:42:09 0 d-s---w- c:\windows\system32\Microsoft
2010-07-02 20:41:53 0 d-----w- c:\program files\Dell
2010-07-02 11:04:07 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-07-02 11:01:54 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-07-02 11:00:26 0 d-sh--w- c:\documents and settings\all users\DRM
2010-07-02 11:00:19 488 ---ha-r- c:\windows\system32\WindowsLogon.manifest
2010-07-02 11:00:19 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-07-02 11:00:19 0 d-s---w- c:\windows\Downloaded Program Files
2010-07-02 11:00:19 0 d-----r- c:\windows\Offline Web Pages
2010-07-02 11:00:15 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-07-02 11:00:15 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-07-02 11:00:15 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-07-02 11:00:15 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-07-02 11:00:15 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-07-02 11:00:15 749 ---ha-r- c:\windows\system32\cdplayer.exe.manifest
2010-07-02 11:00:00 4399505 -c--a-w- c:\windows\system32\dllcache\nls302en.lex
2010-07-02 10:59:00 0 d-----w- c:\program files\common files\MSSoap
2010-07-02 10:58:08 0 d--h--w- c:\program files\WindowsUpdate
2010-07-02 10:58:08 0 d-----w- c:\program files\Online Services
2010-07-02 10:58:03 0 d-----w- c:\program files\Messenger
2010-07-02 10:57:53 0 d-----w- c:\program files\MSN Gaming Zone
2010-07-02 10:57:45 0 d-----w- c:\program files\Windows NT
2010-07-02 04:52:01 0 d-----r- c:\documents and settings\all users\Documents
2010-07-01 11:44:03 0 d-----w- c:\program files\common files\ODBC
2010-07-01 11:44:00 0 d-----w- c:\program files\common files\SpeechEngines

==================== Find3M ====================

2010-07-02 10:58:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-01 02:32:58 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-01 02:32:58 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 0:51:14.26 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 00:56:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\geo\LOCALS~1\Temp\kftoquob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF742CDB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF742CDC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF742CDF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF742CE46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF742CD9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF742CD74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF742CD88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF742CDDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF742CE1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF742CE06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF742CE70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF742CE5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF742CE30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP F742CE34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP F742CE4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP F742CE60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP F742CE20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP F742CD78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP F742CD8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP F742CE74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP F742CE0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP F742CDDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP F742CDB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP F742CDC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP F742CDF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP F742CDA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0202000A
.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02020036
.text C:\WINDOWS\Explorer.EXE[536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0202001B
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02010000
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02010086
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02010075
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02010F9B
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02010FAC
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0201003D
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02010F59
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 020100A1
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02010F37
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02010F48
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02010F26
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0201004E
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02010011
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02010F76
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0201002C
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02010FDB
.text C:\WINDOWS\Explorer.EXE[536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020100C6
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02000FA8
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0200004A
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02000FC3
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02000FDE
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0200002F
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02000FEF
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02000F8D
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [20, 8A]
.text C:\WINDOWS\Explorer.EXE[536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02000014
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02050FAD
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!system 77C293C7 5 Bytes JMP 02050FBE
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02050FE3
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02050000
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02050038
.text C:\WINDOWS\Explorer.EXE[536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02050011
.text C:\WINDOWS\Explorer.EXE[536] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0203000A
.text C:\WINDOWS\Explorer.EXE[536] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02030FEF
.text C:\WINDOWS\Explorer.EXE[536] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02030025
.text C:\WINDOWS\Explorer.EXE[536] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0203004A
.text C:\WINDOWS\Explorer.EXE[536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02040FEF
.text C:\WINDOWS\System32\svchost.exe[704] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[704] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0092001B
.text C:\WINDOWS\System32\svchost.exe[704] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910F70
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00910F8B
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F9C
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910065
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910FD4
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910091
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910F55
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00910F1A
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100BD
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910EFF
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FB9
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910025
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00910080
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00910036
.text C:\WINDOWS\System32\svchost.exe[704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009100AC
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900011
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900F80
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0090003D
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900FE5
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0090002C
.text C:\WINDOWS\System32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900FA5
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB004E
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FCD
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB002C
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB003D
.text C:\WINDOWS\System32\svchost.exe[704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0011
.text C:\WINDOWS\System32\svchost.exe[704] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[704] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00930FD4
.text C:\WINDOWS\System32\svchost.exe[704] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00930FC3
.text C:\WINDOWS\System32\svchost.exe[704] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\services.exe[1344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\services.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F70014
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60090
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F6007F
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60F9B
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60058
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60FC0
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F59
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F600AB
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F600E1
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60F48
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F37
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F80
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\services.exe[1344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600BC
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50F8D
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50014
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50054
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\services.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90FA1
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90FC6
.text C:\WINDOWS\system32\services.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\services.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F30014
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20084
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20073
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20F99
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20FB6
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20047
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200B7
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F200A6
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20F54
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200E3
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20F39
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20058
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20095
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20036
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\lsass.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F200D2
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10011
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F1005B
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10F94
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\lsass.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FA5
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F5004E
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F5003D
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FCD
.text C:\WINDOWS\system32\lsass.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F5000C
.text C:\WINDOWS\system32\lsass.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B000B0
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B0009F
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0008E
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B0007D
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00047
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B000C1
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F79
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F32
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F43
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F21
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00062
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F96
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F54
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0FA5
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF006C
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF0051
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30F90
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FC6
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FAB
.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F72
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F83
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0067
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F15
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F30
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0082
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0EE9
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0093
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F04
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB006F
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB004A
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB003A
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02680000
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02680011
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02680FE5
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02060FEF
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02060F5E
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02060053
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02060036
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02060F79
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0206001B
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 020600A6
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02060095
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02060F32
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02060F43
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02060F21
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02060F8A
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02060FD4
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02060078
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0206000A
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02060FC3
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020600CB
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02050FDB
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02050FA8
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02050036
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0205001B
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02050FB9
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0205000A
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0205005B
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02050FCA
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0274003D
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!system 77C293C7 5 Bytes JMP 02740FB2
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02740FD4
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0274000C
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02740FC3
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02740FEF
.text C:\WINDOWS\System32\svchost.exe[1664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02730FEF
.text C:\WINDOWS\System32\svchost.exe[1664] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\System32\svchost.exe[1664] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 026A0FDE
.text C:\WINDOWS\System32\svchost.exe[1664] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 026A0FCD
.text C:\WINDOWS\System32\svchost.exe[1664] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 026A0FA8
.text C:\WINDOWS\System32\svchost.exe[1736] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1736] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00760FE5
.text C:\WINDOWS\System32\svchost.exe[1736] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00760011
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00750F94
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00750089
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0075006C
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00750FAF
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00750047
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00750F6D
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007500B5
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007500D0
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00750F37
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00750F1C
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00750FC0
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00750011
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007500A4
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00750FDB
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00750022
.text C:\WINDOWS\System32\svchost.exe[1736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00750F5C
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00740047
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00740FB9
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00740FCA
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00740036
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00740FE5
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00740F94
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [94, 88]
.text C:\WINDOWS\System32\svchost.exe[1736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0074001B
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780F8D
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780022
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780011
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FB2
.text C:\WINDOWS\System32\svchost.exe[1736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780FE3
.text C:\WINDOWS\System32\svchost.exe[1736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\wuauclt.exe[1896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[1896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\wuauclt.exe[1896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FD4
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F92
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0087
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0076
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C004A
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F49
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F66
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F2E
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00BD
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00EC
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0065
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F77
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0039
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00AC
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F95
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0016
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC1
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FB0
.text C:\WINDOWS\system32\wuauclt.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0FA5
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C002C
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C001B
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0062
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C000A
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0051
.text C:\WINDOWS\system32\wuauclt.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\System32\svchost.exe[1920] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[1920] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009B001B
.text C:\WINDOWS\System32\svchost.exe[1920] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009A0F44
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009A002F
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009A0F61
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009A0F72
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009A0FA8
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009A0065
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009A0054
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009A0EE4
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009A0087
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009A0ED3
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009A0F8D
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009A0F29
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009A0FC3
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009A0014
.text C:\WINDOWS\System32\svchost.exe[1920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009A0076
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00990FC3
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00990040
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00990014
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00990FD4
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0099002F
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00990F8D
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B9, 88]
.text C:\WINDOWS\System32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00990FA8
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0FA1
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D002C
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FCD
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FBC
.text C:\WINDOWS\System32\svchost.exe[1920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\System32\svchost.exe[1920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150000
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002700A4
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270089
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0027006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700ED
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700D0
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270119
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0027012A
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270047
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270011
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002700BF
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270022
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270108
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360051
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360025
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360040
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0037004E
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01500000
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01500011
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01500FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01500FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01860000
.text C:\WINDOWS\System32\svchost.exe[3708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[3708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FDE
.text C:\WINDOWS\System32\svchost.exe[3708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009000A
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B005B
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B004A
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F30
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F41
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00C9
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00B8
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00E4
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B006C
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002F
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[3708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0093
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A004E
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0011
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A003D
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A002C
.text C:\WINDOWS\System32\svchost.exe[3708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FA5
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0F9F
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FB0
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FD2
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FEF
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0FC1
.text C:\WINDOWS\System32\svchost.exe[3708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F000C
.text C:\WINDOWS\System32\svchost.exe[3708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP1\A0001016.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP1\A0001026.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP10\A0012108.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP10\A0014108.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP10\A0016108.exe:BAK 23040 bytes executable
ADS C:\System Volume Information\_restore{5B42E7DF-EEF1-4F53-AE8D-098E7AF9F300}\RP10\A0018108.exe:BAK 23040 bytes executable

---- EOF - GMER 1.0.15 ----

Merged topics, then two posts and removed 1 post. ~ OB

Attached Files

  • Attached File  DDS.zip   6.25KB   4 downloads
  • Attached File  gmer.zip   284.95KB   3 downloads

Edited by Orange Blossom, 30 July 2010 - 12:31 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:48 PM

Posted 07 August 2010 - 04:15 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:48 PM

Posted 10 August 2010 - 11:52 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:48 PM

Posted 14 August 2010 - 01:22 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users