Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox/IE Crashes and Redirects


  • This topic is locked This topic is locked
15 replies to this topic

#1 Phyrkrakr

Phyrkrakr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 01 October 2010 - 02:07 PM

My dad's computer has been having problems with IE crashing and Google searches redirecting. I also installed Firefox (after this problem started) and the same thing is happening there. Looking at the Firefox crash report, it seems like the pages that he's being redirected to are causing a problem with Java, forcing the crash. Here's the HJT log from his computer:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:34:45 PM, on 10/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDST...aller_2-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164765093694
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 8096 bytes


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 06 October 2010 - 05:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 10 October 2010 - 07:57 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 11 October 2010 - 05:53 PM

Reopened at user's request

-----------------------------------------

Post away smile.gif
Posted Image
m0le is a proud member of UNITE

#5 Phyrkrakr

Phyrkrakr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 11 October 2010 - 07:26 PM

DDS Log:





DDS (Ver_10-10-10.03) - NTFSx86
Run by Witte at 13:33:22.51 on Mon 10/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.431 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Witte\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "C:\qttask.exe" -atboottime
mRun: [Motive SmartBridge] c:\progra~1\alltel~1\smartb~1\MotiveSB.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windst~1.lnk - c:\program files\alltel dsl check-up center\bin\matcli.exe
mPolicies-system: disablecad = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164765093694
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\witte\applic~1\mozilla\firefox\profiles\v4u3fgpk.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6092
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 385880]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-9-10 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-9-10 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-9-10 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-9-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-9-10 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-9-10 34248]

=============== Created Last 30 ================

2010-10-01 17:50:11 388096 ----a-r- c:\docume~1\witte\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-01 17:33:06 -------- d-----w- c:\docume~1\witte\locals~1\applic~1\Mozilla
2010-09-29 21:35:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-09-29 21:14:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-09-29 18:38:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-09-29 18:36:01 -------- d-----w- c:\docume~1\witte\locals~1\applic~1\NPE
2010-09-13 18:26:11 -------- d-----w- c:\docume~1\witte\locals~1\applic~1\Microsoft Help

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 07:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 13:34:56.99 ===============





GMER Log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-11 14:21:10
Windows 5.1.2600 Service Pack 3
Running: tq0q5xwl.exe; Driver: C:\DOCUME~1\Witte\LOCALS~1\Temp\fwldapoc.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF731AE02]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF731AE99]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF731ADD8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF731ADEC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF731AEAD]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF731AED9]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF731AF47]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF731AF31]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF731AF5D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF731AE42]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF731AE85]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF731AD74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF731AD88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF731AE16]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF731AFB1]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF731AF1B]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF731AF05]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF731AEC3]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF731AF9D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF731AF89]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF731ADC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF731ADB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF731AEEF]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF731AE71]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF731AF73]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF731AE58]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF731AE2C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP F731AE30 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F731AE06 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP F731AE46 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP F731AE5C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP F731AE1A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F731AD78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F731AD8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP F731ADB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP F731ADF0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP F731ADDC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP F731ADC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F731AE75 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP F731AF09 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP F731AEF3 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 7 Bytes JMP F731AF77 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP F731AF1F mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F731AEC7 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP F731AE9D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F731AEB1 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F731AEDD mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP F731AF4B mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP F731AF35 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F731AE89 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP F731AFB5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP F731AF8D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 806255F8 1 Byte [E9]
PAGE ntkrnlpa.exe!ZwLoadKey2 806255F8 7 Bytes JMP F731AF61 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP F731AFA1 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xEE879F80]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0073
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EE4
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EF5
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0ED3
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F10
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FAD
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0038
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB001D
.text C:\WINDOWS\system32\svchost.exe[620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F63
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F7E
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F9B
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F46
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC008E
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00C4
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00A9
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F10
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC007D
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F2B
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F6F
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA003A
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0029
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070075
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F9B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F6F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700AB
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F25
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700C8
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700D9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0007003D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F4A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060076
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA3
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB4
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005002E
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FD9
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F83
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80078
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F9E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F46
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F57
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800B3
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F1A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800C4
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80040
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F72
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F2B
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70098
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70022
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F7007D
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F7006C
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60031
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60FB0
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60FD2
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FC1
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02540000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02540FA6
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02540091
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02540080
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0254006F
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02540054
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02540F81
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025400C7
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025400FF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02540F66
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02540F4B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02540FCD
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02540FEF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025400B6
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0254002F
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02540FDE
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025400EE
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02530036
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02530F9E
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02530FEF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02530025
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02530FAF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02530000
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02530FC0
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [73, 8A] {JAE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02530051
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02450038
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 02450FB7
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02450FC8
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02450FE3
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0245001D
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0245000C
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F6A
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A7005F
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A7004E
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A7003D
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A700A1
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70086
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A70F34
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A700CD
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A70F23
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70F59
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A700B2
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A60025
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A60076
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A60FCA
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A60FE5
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A6005B
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A60040
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A60FB9
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A50FA1
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A50FCD
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A50FB2
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A50FDE
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A40000
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04820FEF
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 048200AB
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04820090
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04820073
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04820FB6
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04820051
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 048200BC
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04820F74
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04820F3E
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04820F59
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04820F23
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04820062
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0482000A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04820F91
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04820040
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04820025
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 048200CD
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0481001B
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04810F68
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0481000A
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04810FDE
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04810F83
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04810FEF
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04810F94
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 8C]
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04810FAF
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04800FBE
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 04800049
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0480001D
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04800FEF
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0480002E
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0480000C
.text C:\WINDOWS\System32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 047F0000
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 047E0000
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 047E0FE5
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 047E0011
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 047E0022
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650FA5
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065009A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650062
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500E1
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006500D0
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650117
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500FC
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F59
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650FDB
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006500B5
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F88
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640062
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640FA5
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00640FC0
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 88]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0064003D
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FAF
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630044
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063001D
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0095
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FA0
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A007A
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0069
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B2
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F6A
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00CD
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F34
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E8
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0058
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F7B
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0047
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0022
.text C:\WINDOWS\System32\svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F45
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F68
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDE
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F83
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029002F
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FAD
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0042
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD9
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FC8
.text C:\WINDOWS\System32\svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F63
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0058
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FCA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F24
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F35
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00B3
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0098
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0F09
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FA5
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F52
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0036
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0087
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A002C
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A006C
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FCD
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790058
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0079003D
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F68
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A0005D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F79
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00F8A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00025
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A0009F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00084
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F21
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F3C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00F10
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F57
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A000BA
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0065
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E007A
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0069
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0033
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0044
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0018
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1006C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F81
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F9E
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10051
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C1002F
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F35
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C1007D
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100B3
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10098
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10EFF
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F52
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F24
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930062
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092004C
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920031
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC1
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920016
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1480] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1480] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1480] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900022
.text C:\WINDOWS\system32\svchost.exe[1480] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 017C0FEF
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 017C006C
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 017C005B
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 017C004A
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 017C0F8D
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 017C002F
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017C00A2
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017C0F5A
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017C0F35
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017C00CE
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017C00E9
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 017C0F9E
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 017C000A
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B4874A
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017C0087
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 017C0FC3
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 017C0FD4
.text C:\WINDOWS\Explorer.EXE[2368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017C00BD
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016F0014
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016F0F72
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016F0FB9
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016F0FDE
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016F002F
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016F0FEF
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 016F0F97
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 89]
.text C:\WINDOWS\Explorer.EXE[2368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016F0FA8
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016E0066
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!system 77C293C7 5 Bytes JMP 016E0055
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016E0029
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016E0FEF
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016E0044
.text C:\WINDOWS\Explorer.EXE[2368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016E000C
.text C:\WINDOWS\Explorer.EXE[2368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 016C0FEF
.text C:\WINDOWS\Explorer.EXE[2368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 016C000A
.text C:\WINDOWS\Explorer.EXE[2368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 016C0025
.text C:\WINDOWS\Explorer.EXE[2368] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 016C0036
.text C:\WINDOWS\Explorer.EXE[2368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016D0000
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F81
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0006C
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F0005B
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F000C9
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F000B8
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F44
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F5F
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00F29
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00040
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00091
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\dllhost.exe[2512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F70
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0FBE
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FD9
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE002E
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0049
.text C:\WINDOWS\system32\dllhost.exe[2512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE001D
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0091
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0076
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\dllhost.exe[2512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\dllhost.exe[2512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 12 October 2010 - 01:24 PM

You've been hijacked, but we need to determine what has done the hijacking first.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 Phyrkrakr

Phyrkrakr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 13 October 2010 - 07:16 PM

It'll be Friday before I have a chance to do this, maybe not til the weekend. Thanks for the help.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 13 October 2010 - 08:02 PM

No problem thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 Phyrkrakr

Phyrkrakr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 15 October 2010 - 01:30 PM

TDSSKiller:

2010/10/15 13:26:15.0281 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/15 13:26:15.0281 ================================================================================
2010/10/15 13:26:15.0281 SystemInfo:
2010/10/15 13:26:15.0281
2010/10/15 13:26:15.0281 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/15 13:26:15.0281 Product type: Workstation
2010/10/15 13:26:15.0281 ComputerName: DESKTOP
2010/10/15 13:26:15.0281 UserName: Witte
2010/10/15 13:26:15.0281 Windows directory: C:\WINDOWS
2010/10/15 13:26:15.0281 System windows directory: C:\WINDOWS
2010/10/15 13:26:15.0281 Processor architecture: Intel x86
2010/10/15 13:26:15.0281 Number of processors: 2
2010/10/15 13:26:15.0281 Page size: 0x1000
2010/10/15 13:26:15.0281 Boot type: Normal boot
2010/10/15 13:26:15.0281 ================================================================================
2010/10/15 13:26:15.0484 Initialize success
2010/10/15 13:26:54.0000 ================================================================================
2010/10/15 13:26:54.0000 Scan started
2010/10/15 13:26:54.0000 Mode: Manual;
2010/10/15 13:26:54.0000 ================================================================================
2010/10/15 13:26:56.0890 ================================================================================
2010/10/15 13:26:56.0890 Scan finished
2010/10/15 13:26:56.0890 ================================================================================
2010/10/15 13:27:02.0843 Deinitialize success


MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7B12000 \WINDOWS\system32\KDCOM.DLL
0xF7A22000 \WINDOWS\system32\BOOTVID.dll
0xF74E3000 ACPI.sys
0xF7B14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74D2000 pci.sys
0xF7612000 isapnp.sys
0xF7BDA000 pciide.sys
0xF7892000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7622000 MountMgr.sys
0xF74B3000 ftdisk.sys
0xF7B16000 dmload.sys
0xF748D000 dmio.sys
0xF789A000 PartMgr.sys
0xF7632000 VolSnap.sys
0xF7475000 atapi.sys
0xF7642000 disk.sys
0xF7652000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7455000 fltmgr.sys
0xF7443000 sr.sys
0xF7662000 PxHelp20.sys
0xF742C000 KSecDD.sys
0xF7419000 WudfPf.sys
0xF738C000 Ntfs.sys
0xF735F000 NDIS.sys
0xF7345000 Mup.sys
0xF72E8000 mfehidk.sys
0xF7822000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6C40000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6C2C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6C04000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF794A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6BE0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7952000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6B45000 \SystemRoot\system32\DRIVERS\ltmdmnt.sys
0xF795A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6B1D000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7962000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7842000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7862000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6AFA000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7872000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7D4C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7882000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF72AF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6AE3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7682000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7692000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF796A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6AD2000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76A2000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7972000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF797A000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6AA2000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76B2000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7982000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF798A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B50000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6A44000 \SystemRoot\system32\DRIVERS\update.sys
0xF728F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76C2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEE984000 \SystemRoot\system32\drivers\sthda.sys
0xEE960000 \SystemRoot\system32\drivers\portcls.sys
0xF76F2000 \SystemRoot\system32\drivers\drmk.sys
0xEE816000 \SystemRoot\system32\drivers\sigfilt.sys
0xF7702000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B56000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF799A000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7CB7000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF7CB8000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF7B58000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CB9000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B5A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79AA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79B2000 \SystemRoot\System32\drivers\vga.sys
0xF7B5C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B5E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEE732000 \SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS
0xF79BA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79C2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AE2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE6E5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE68C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE665000 \SystemRoot\System32\Drivers\Mpfp.sys
0xEE63F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7722000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF7732000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEE617000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEE5F5000 \SystemRoot\System32\drivers\afd.sys
0xF7742000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEE5CA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEE55A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7752000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7AAE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7772000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF79D2000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF7792000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xEE4B7000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7AB2000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEE708000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEE7F6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE49F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B7A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE552000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78D2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CDA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF093000 \SystemRoot\System32\atikvmag.dll
0xBF0C9000 \SystemRoot\System32\ati3duag.dll
0xBF34D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEC353000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC02A000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC19F000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA78B000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xBA75B000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xBA735000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xBA325000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA1A4000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA05C000 \SystemRoot\system32\DRIVERS\srv.sys
0xF791A000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB97F1000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF7922000 \SystemRoot\system32\drivers\mfebopk.sys
0xB97B7000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB9864000 \SystemRoot\system32\drivers\mfesmfk.sys
0xEE700000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xF792A000 \SystemRoot\system32\drivers\mferkdk.sys
0xB93FB000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7902000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0xB93C8000 \SystemRoot\system32\DRIVERS\Dot4.sys
0xEC04F000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0xB939D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
616 C:\WINDOWS\system32\smss.exe
668 csrss.exe
696 C:\WINDOWS\system32\winlogon.exe
744 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\ati2evxx.exe
956 C:\WINDOWS\system32\svchost.exe
1032 svchost.exe
1132 C:\WINDOWS\system32\svchost.exe
1172 C:\WINDOWS\system32\svchost.exe
1236 svchost.exe
1368 svchost.exe
1540 C:\WINDOWS\system32\spoolsv.exe
1860 C:\WINDOWS\explorer.exe
1940 C:\WINDOWS\ehome\ehtray.exe
1972 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2000 C:\WINDOWS\stsystra.exe
2016 C:\WINDOWS\ltmsg.exe
192 C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
184 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
436 C:\WINDOWS\system32\ctfmon.exe
604 svchost.exe
916 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1100 C:\WINDOWS\ehome\ehrecvr.exe
1296 C:\WINDOWS\ehome\ehSched.exe
1692 C:\Program Files\Java\jre6\bin\jqs.exe
1772 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1800 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
2064 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2112 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
2148 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
2256 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
2312 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
2336 C:\Program Files\McAfee\MPF\MpfSrv.exe
2384 C:\Program Files\McAfee\MSK\msksrver.exe
2540 svchost.exe
2676 C:\WINDOWS\system32\svchost.exe
2804 C:\WINDOWS\system32\MsPMSPSv.exe
2908 mcrdsvc.exe
3672 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
3956 C:\WINDOWS\system32\dllhost.exe
544 alg.exe
2460 C:\WINDOWS\ehome\ehmsas.exe
3088 C:\WINDOWS\system32\svchost.exe
3616 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
872 C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
1580 C:\Program Files\Mozilla Firefox\firefox.exe
1716 C:\Documents and Settings\Witte\Desktop\MBRCheck.exe

\\.\C: --> error 1

PhysicalDrive0 Model Number: HDS728080PLA380, Rev: PF2OA63A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 15 October 2010 - 07:46 PM

Don't know what's happened with the TDSSKiller log but it's a bit short tongue.gif .

Please rerun it and post the log that you get so we can see if that was a blip or not.
Posted Image
m0le is a proud member of UNITE

#11 Phyrkrakr

Phyrkrakr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 16 October 2010 - 12:57 AM

The command line entry you gave me didn't work that I could tell. I just doubleclicked the icon and ran the scan, and that's what it spit out. I'll try to get another crack at it tomorrow. Is there any way you can tell me what to look for, and what the next steps should be? It's kind of frustrating to find time to get at the computer, run two utilities that takes about ten minutes, and then wait a day for a reply. It would be much easier to be able to work for two or three hours straight and try to get this thing sorted.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 16 October 2010 - 04:57 AM

QUOTE
It's kind of frustrating to find time to get at the computer, run two utilities that takes about ten minutes, and then wait a day for a reply. It would be much easier to be able to work for two or three hours straight and try to get this thing sorted.


Yes it is. But it would be more frustrating to give you seven utilities in a row and because of results on the first utility the next six utilities are completely pointless. We start slowly because we need to know what we're dealing with but as this becomes more clear we can step it up a bit.

TDSSKiller not running is completely new so it may be that TDSS is evolving again.

Please run Combofix next. I need to see the results of this to see if anything needs to be scripted out before we continue.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Phyrkrakr

Phyrkrakr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 18 October 2010 - 02:46 PM

Combofix Log:

ComboFix 10-10-17.04 - Witte 10/18/2010 14:24:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -5:00]
Running from: c:\documents and settings\Witte\Desktop\comfix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Witte\Local Settings\Application Data\Windows Server
c:\documents and settings\Witte\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Witte\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Witte\Local Settings\Application Data\Windows Server\uses32.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-13 14:13 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 14:13 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 14:12 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-01 17:50 . 2010-10-01 17:50 388096 ----a-r- c:\documents and settings\Witte\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-01 17:33 . 2010-10-01 17:33 -------- d-----w- c:\documents and settings\Witte\Local Settings\Application Data\Mozilla
2010-09-29 21:35 . 2010-10-01 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-29 21:14 . 2010-09-29 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-09-29 18:38 . 2010-09-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-29 18:36 . 2010-09-29 20:40 -------- d-----w- c:\documents and settings\Witte\Local Settings\Application Data\NPE
2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"QuickTime Task"="C:\qttask.exe" [2007-06-29 286720]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2008-3-28 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1122\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1124\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1124\Scripts\Logon\1\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1130\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1137\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1139\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1144\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1109581302-3169608643-1766648127-500\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1230841440-1450079771-335977232-1144\Scripts\Logon\0\0]
"Script"=\\master\netlogon\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1230841440-1450079771-335977232-1144\Scripts\Logon\1\0]
"Script"=\\master\netlogon\logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/10/2010 12:28 PM 203280]
.
Contents of the 'Scheduled Tasks' folder

2010-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]

2010-09-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-10 17:22]

2010-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-10 17:22]

2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{4F997353-5C29-4592-9D00-A68E9A5118F1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Witte\Application Data\Mozilla\Firefox\Profiles\v4u3fgpk.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6092
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Move Networks Player_is1 - c:\documents and settings\ars\Application Data\Move Networks\ie_bin\unins000.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3836)
c:\windows\system32\WININET.dll
c:\progra~1\ALLTEL~1\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\LTMSG.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-10-18 14:40:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-18 19:40

Pre-Run: 60,308,865,024 bytes free
Post-Run: 60,475,957,248 bytes free

- - End Of File - - 30DF32860B81F1EA7B4CCC5FCEDA0330

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 18 October 2010 - 07:27 PM

Okay, that's the end of the Bamital trojan. We should be able to speed this up now.

Please rerun Combofix, as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
FF - prefs.js: network.proxy.http_port - 6092

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Now run the ESET online scanner
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


Finally, let me know how the PC is running after these three steps. :)
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:07 AM

Posted 21 October 2010 - 06:23 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users