Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • Please log in to reply
7 replies to this topic

#1 RabidRobbie

RabidRobbie

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 12 October 2010 - 04:33 AM

This is incredibly annoying. I can't do anything on the internet because every website is constantly redirecting to some bogus advertisement site. McAfee hasn't gotten rid of it, Ad-aware hasn't gotton rid of it, Malwarebytes hasn't gotten rid of, and I have deleted a few suspicious looking things using HijackThis, but it isn't going away.

Heres my log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:28:55 PM, on 10/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100913085151.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] ]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ats] C:\WINDOWS\system32\asd\loadqm.exe noshow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 12091 bytes


Someone please tell me what to do.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 19 October 2010 - 07:50 PM

Hi and welcome. :)

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay in response.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and choose the notification you wish and click Proceed. Your subscription will be added and the topics you are subscribed/tracked to can be found in your Control Panel on this page

Please take note of the following guidelines in the meantime:

Please perform all steps in the order received and do not proceed if you need clarification.


  • In the meantime, please refrain from making any changes to your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Old topics are closed after 3-5 days with no reply, and working topics are closed after 5-7 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. In addition, most of us staff members here are all volunteers. With that said, please be courteous and appreciative for the assistance provided.

 

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 RabidRobbie

RabidRobbie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 20 October 2010 - 04:41 AM

Thank you so much, extremeboy! I was wondering if anyone was going to reply.

My problem hasn't changed since I posted. Pretty much every website I click on gets redirected to some bogus site (via ibyllw.net if that's any interest to you) and nothing I've tried has worked.

Here's my DDS and attach logs:

DDS (Ver_10-10-10.03) - NTFSx86
Run at 20:41:16.79 on Wed 10/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2276 [GMT -7:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\aaa\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://search.live.com
uSearch Bar = hxxp://search.live.com/sphome.aspx
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100913085151.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] ]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ats] c:\windows\system32\asd\loadqm.exe noshow
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\aaa\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\aaa\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaa\applic~1\mozilla\firefox\profiles\eel9szd2.default\
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_21.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-7 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-7 84072]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-2 54752]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-12-4 68136]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\kodak\digital display\orbkodaklauncher\DllStartupService.exe [2009-5-14 98304]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-7 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-7 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-7 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-7 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-7 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-7 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-7 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-7 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-7 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-7 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-7 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-17 136176]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-7 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-7 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-10-20 04:20:07 -------- d-----w- c:\docume~1\aaa\applic~1\Windows Desktop Search
2010-10-18 18:50:24 -------- d-----w- c:\program files\uTorrent
2010-10-14 16:41:34 388096 ----a-r- c:\docume~1\aaa\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-14 15:56:20 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 15:56:20 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 03:49:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-10-14 03:32:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-14 03:29:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-14 03:29:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-14 03:25:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-14 03:25:24 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-14 03:25:24 0 ----a-w- c:\windows\system32\RENDC.tmp
2010-10-14 03:25:24 0 ----a-w- c:\windows\system32\RENDB.tmp
2010-10-14 03:25:24 0 ----a-w- c:\windows\system32\RENDA.tmp
2010-10-14 01:30:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-14 01:30:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-12 04:36:41 -------- d-----w- c:\docume~1\aaa\applic~1\Malwarebytes
2010-10-12 04:36:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 04:36:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-12 04:30:31 -------- d-----w- c:\program files\common files\Java(2)
2010-10-12 04:29:23 -------- d-----w- c:\program files\Java(2)
2010-10-11 05:05:17 -------- d-----w- c:\program files\InstallJammer Registry
2010-10-11 05:04:55 -------- d-----w- c:\program files\Little Endian
2010-10-10 00:20:19 -------- d-----w- c:\program files\Trend Micro
2010-10-09 02:16:11 -------- dc----w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-09 02:15:50 -------- d-----w- c:\program files\Lavasoft
2010-10-08 05:19:06 88576 --sha-r- c:\windows\system32\ieframed.dll
2010-09-23 01:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-23 01:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-09-21 16:10:33 4 ----a-w- c:\windows\system32\microday08.dll
2010-09-21 16:10:31 70 ----a-w- c:\windows\system32\mypath0079.dll
2010-09-21 16:10:31 34 ----a-w- c:\windows\system32\MTX0CI.dll
2010-09-21 16:10:23 -------- d-sh--w- c:\windows\system32\asd

==================== Find3M ====================

2010-10-21 00:15:38 16608 ----a-w- c:\windows\gdrv.sys
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 20:41:45.51 ===============




GMER LOG:


GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-20 20:39:57
Windows 5.1.2600 Service Pack 3
Running: lqgw9eqw.exe; Driver: C:\DOCUME~1\aaa\LOCALS~1\Temp\kgtoaaod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EAF090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EAF0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EAF0D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EAF126]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EAF07C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EAF054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EAF068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EAF0BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EAF0FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EAF0E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EAF150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EAF13C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EAF110]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9EAF114 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9EAF12A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9EAF140 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9EAF100 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9EAF058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9EAF06C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9EAF154 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9EAF0EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9EAF0BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9EAF094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9EAF0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9EAF0D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9EAF080 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB96E0360, 0x372FAD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D4006C
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40F77
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40F88
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40051
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F2E
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40F49
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D400A2
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40091
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40EE4
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F66
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\services.exe[672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D40F1D
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070033
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01070058
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01070022
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070011
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01070F91
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01070FAC
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 89]
.text C:\WINDOWS\system32\services.exe[672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FC7
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060F9F
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060FB0
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060FD2
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01060FC1
.text C:\WINDOWS\system32\services.exe[672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060FE3
.text C:\WINDOWS\system32\services.exe[672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\lsass.exe[684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\lsass.exe[684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F72
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F83
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0067
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F9E
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0098
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F50
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F10
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F35
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00C4
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F61
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\lsass.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00A9
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40F79
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F8A
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\lsass.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20FA8
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20029
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20018
.text C:\WINDOWS\system32\lsass.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0070
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF005F
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF004E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF003D
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF00A6
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF008B
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0F25
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00C8
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F0A
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F60
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0FB9
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF00B7
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3004A
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F8D
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20F8B
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20F9C
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FC8
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FAD
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C300AE
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30FB9
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30093
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30076
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C300ED
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C300D0
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30123
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30134
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C300BF
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C300FE
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60F84
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60F95
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FC1
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FB0
.text C:\WINDOWS\system32\svchost.exe[908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FDE
.text C:\WINDOWS\system32\svchost.exe[908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04940000
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04940036
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0494001B
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 023A0000
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 023A0F6F
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 023A006E
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 023A0F94
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 023A0051
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 023A0FB9
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 023A00A6
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 023A0089
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023A00D2
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 023A0F39
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 023A0F14
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 023A0040
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 023A001B
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 023A0F5E
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 023A0FCA
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 023A0FE5
.text C:\WINDOWS\System32\svchost.exe[976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 023A00B7
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04980FAF
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04980F65
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04980000
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04980FCA
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04980022
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04980FEF
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04980F80
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 8C]
.text C:\WINDOWS\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04980011
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04970F6E
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!system 77C293C7 5 Bytes JMP 04970F89
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04970FAB
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04970FEF
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04970F9A
.text C:\WINDOWS\System32\svchost.exe[976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04970FD2
.text C:\WINDOWS\System32\svchost.exe[976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04960000
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04950FE5
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0495000A
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04950FD4
.text C:\WINDOWS\System32\svchost.exe[976] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04950FC3
.text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0F94
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0089
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D0078
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0FAF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D005B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D0F5C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D00AE
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D00E4
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D0F4B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D00FF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D0FCA
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0F83
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0040
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D00C9
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810F97
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810FE5
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0081001B
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810054
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00810FB2
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 88]
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810FC3
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800F7C
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800F8D
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FCD
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F81
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60076
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60065
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FC3
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F66
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600B8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F44
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F55
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600F8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C6004A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60091
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600C9
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FAF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0039
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0F7C
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03388
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0F9E
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C9004E
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C9000C
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90033
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0FCD
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F61
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE009D
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00DF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F46
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00FA
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F72
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00C4
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F94
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FB4
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20049
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2001D
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C2002E
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FE3
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FE5
.text C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004073E0 C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe (KodakDigitalDisplayService/Orb Networks, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\SearchIndexer.exe[1608] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0071
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0054
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00A9
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F61
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00CB
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00BA
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F0D
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA008C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F46
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD007D
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC003D
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FC6
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0117C054
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0117CD7C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0117CA84
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0117CC95
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0117BF97
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0117CB2A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0117CBD4
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 0117C3B1
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 0117CFEA
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 0117D524
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 0117CF1D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 0117D43F
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 0117D8DB
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 0117D9A5
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 0117C48C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 0117D357
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 0117D193
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 0117CE0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 0117D0B7
.text C:\Program Files\Mozilla Firefox\firefox.exe[2200] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 0117D26F
.text C:\Program Files\Messenger\msmsgs.exe[3316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\Program Files\Messenger\msmsgs.exe[3316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FE5
.text C:\Program Files\Messenger\msmsgs.exe[3316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F66
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C005B
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F83
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0040
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C001B
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F33
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F44
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EEC
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F07
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00A0
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F94
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F55
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FB9
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F18
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F9C
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FAD
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FE3
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC8
.text C:\Program Files\Messenger\msmsgs.exe[3316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B001D
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0062
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0047
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C000A
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0036
.text C:\Program Files\Messenger\msmsgs.exe[3316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C001B
.text C:\Program Files\Messenger\msmsgs.exe[3316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002D0000
.text C:\Program Files\Messenger\msmsgs.exe[3316] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0000
.text C:\Program Files\Messenger\msmsgs.exe[3316] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E0FDB
.text C:\Program Files\Messenger\msmsgs.exe[3316] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3316] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002E0FAF
.text C:\WINDOWS\Explorer.EXE[3812] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\Explorer.EXE[3812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009002C
.text C:\WINDOWS\Explorer.EXE[3812] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B00A1
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0090
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0069
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FAC
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B003D
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F6A
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00BC
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F3E
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00E1
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00F2
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B004E
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F91
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\Explorer.EXE[3812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F59
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002C
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0073
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FC0
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FBE
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0053
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0027
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0042
.text C:\WINDOWS\Explorer.EXE[3812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[3812] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[3812] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[3812] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0011
.text C:\WINDOWS\Explorer.EXE[3812] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0FC0
.text C:\WINDOWS\Explorer.EXE[3812] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02720000
.text C:\WINDOWS\System32\svchost.exe[4088] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\System32\svchost.exe[4088] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FAF
.text C:\WINDOWS\System32\svchost.exe[4088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FCA
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B009C
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B008B
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FBD
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B007A
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0058
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F65
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00AD
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F36
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00D9
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F25
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0069
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F8C
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B003D
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B002C
.text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00BE
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F79
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0040
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F9E
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[4088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0025
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0FB2
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FC3
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0029
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FEF
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0FD4
.text C:\WINDOWS\System32\svchost.exe[4088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F000C
.text C:\WINDOWS\System32\svchost.exe[4088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4960] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[4960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\system32\wuauclt.exe[4960] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0069
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0058
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F7E
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FA5
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FD1
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0090
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F48
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00B5
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F1C
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00C6
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FB6
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F63
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C003D
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C002C
.text C:\WINDOWS\system32\wuauclt.exe[4960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F2D
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0049
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B002E
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC8
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B001D
.text C:\WINDOWS\system32\wuauclt.exe[4960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B000C
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C001B
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0065
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0054
.text C:\WINDOWS\system32\wuauclt.exe[4960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FC3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1660] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407750] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1660] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077B0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\276C78BDd01 28365 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\1BB5246Cd01 35341 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\F53125B3d01 40010 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\B8F0994Ed01 1022315 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\3759E1CAd01 29556 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\A4945A69d01 31745 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\611C9EECd01 19670 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\73C6DF45d01 45869 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\7861C3C5d01 24986 bytes
File C:\Documents and Settings\aaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\Cache\7EFCDB4Cd01 24706 bytes

---- EOF - GMER 1.0.15 ----


Sorry if this is too long!

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 21 October 2010 - 09:48 PM

Hello again,

Sorry for the short delay. Had a few things to cover yesterday so didn't respond. Let's get moving along here.

Let's start with a tool called Combofix and proceed from there.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 RabidRobbie

RabidRobbie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 22 October 2010 - 11:53 PM

Ok here's the combofix log:


ComboFix 10-10-22.03 - aaa 10/23/2010 16:38:22.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2541 [GMT -7:00]
Running from: c:\documents and settings\aaa\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\system32\asd
c:\windows\system32\asd\mylng.cfg
c:\windows\system32\asd\newsdsave.dll
c:\windows\system32\asd\rule.cfg
c:\windows\system32\asd\YFSysKeys.ocx
c:\windows\system32\microday08.dll
c:\windows\system32\MTX0CI.dll
c:\windows\system32\mypath0079.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-20 04:20 . 2010-10-20 04:20 -------- d-----w- c:\documents and settings\aaa\Application Data\Windows Desktop Search
2010-10-14 17:02 . 2010-10-14 17:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-14 16:41 . 2010-10-14 16:41 388096 ----a-r- c:\documents and settings\aaa\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-14 15:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 15:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 03:49 . 2010-10-14 03:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-10-14 03:32 . 2010-10-16 02:01 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-14 03:29 . 2010-10-14 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-14 03:29 . 2010-10-14 03:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\program files\Common Files\Java
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDC.tmp
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDB.tmp
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDA.tmp
2010-10-14 03:25 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-14 03:25 . 2010-07-17 12:00 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\program files\Java
2010-10-09 02:15 . 2010-10-09 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-09 02:15 . 2010-10-09 02:15 -------- d-----w- c:\program files\Lavasoft
2010-10-08 05:19 . 2010-10-08 05:19 88576 --sha-r- c:\windows\system32\ieframed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 22:58 . 2009-12-04 23:45 16608 ----a-w- c:\windows\gdrv.sys
2010-09-18 19:23 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 20:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 20:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 00:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 00:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2004-08-04 00:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-01 11:51 . 2004-08-04 00:56 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-03 23:17 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 00:56 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-03 23:14 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-02 21:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-24 21:57 . 2010-05-08 01:56 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 21:57 . 2010-05-08 01:56 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 21:57 . 2010-05-08 01:56 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 21:57 . 2010-05-08 01:56 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 21:57 . 2010-05-08 01:56 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 21:57 . 2010-05-08 01:56 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 21:57 . 2010-05-08 01:56 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 21:57 . 2010-05-08 01:56 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 21:57 . 2010-05-08 01:56 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 21:57 . 2010-05-08 01:56 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-23 16:12 . 2004-08-04 00:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 00:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2007-06-13 23:07 . 2007-06-13 23:07 6276080 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2010-08-24 21:57 . 2010-09-13 15:51 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="]" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/7/2010 6:56 PM 84072]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/4/2009 4:46 PM 68136]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [5/14/2009 1:21 PM 98304]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/7/2010 6:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/7/2010 6:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/7/2010 6:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/7/2010 6:56 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/7/2010 6:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/7/2010 6:56 PM 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/7/2010 6:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2010 7:46 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/7/2010 6:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/7/2010 6:56 PM 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 6:53 PM 167808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 02:46]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 02:46]

2010-10-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1078145449-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1078145449-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1078145449-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1078145449-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\aaa\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_21.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ats - c:\windows\system32\asd\loadqm.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-23 16:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ats = c:\windows\system32\asd\loadqm.exe noshow???????=???????????????????6?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\RtlGina2.dll
.
Completion time: 2010-10-23 16:47:53
ComboFix-quarantined-files.txt 2010-10-23 23:47

Pre-Run: 578,883,645,440 bytes free
Post-Run: 584,004,132,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F81725A3EB10FE65DDC15DD0CE382492

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 23 October 2010 - 01:12 PM

Hello again,

Is this happening in Firefox or Internet Explorer or both?

I see a few things that we can removed.

First off, you have AskToolbar installed, I suggest you uninstall that as it's commonly bundled with adware.

Then, let's collect a file that needs to be removed.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/topic353189.html
    Collect::[68]
    c:\windows\system32\ieframed.dll
    
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.


--
Reboot your computer if Combofix doesn't do so automatically, and let me know if the redirect still occurs.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 RabidRobbie

RabidRobbie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 23 October 2010 - 11:17 PM

I can't believe it. IT'S STOPPED REDIRECTING! I can't thank you enough extremeboy!



Here's the second log from combofix if your interested:

ComboFix 10-10-22.03 - aaa 10/24/2010 13:18:42.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2764 [GMT -7:00]
Running from: c:\documents and settings\aaa\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\aaa\My Documents\Downloads\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\ieframed.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ieframed.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-24 to 2010-10-24 )))))))))))))))))))))))))))))))
.

2010-10-20 04:20 . 2010-10-20 04:20 -------- d-----w- c:\documents and settings\aaa\Application Data\Windows Desktop Search
2010-10-14 17:02 . 2010-10-14 17:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-14 16:41 . 2010-10-14 16:41 388096 ----a-r- c:\documents and settings\aaa\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-14 15:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 15:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 03:49 . 2010-10-14 03:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-10-14 03:32 . 2010-10-16 02:01 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-14 03:29 . 2010-10-14 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-14 03:29 . 2010-10-14 03:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\program files\Common Files\Java
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDC.tmp
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDB.tmp
2010-10-14 03:25 . 2010-10-14 03:25 0 ----a-w- c:\windows\system32\RENDA.tmp
2010-10-14 03:25 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-14 03:25 . 2010-07-17 12:00 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\program files\Java
2010-10-09 02:15 . 2010-10-09 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-09 02:15 . 2010-10-09 02:15 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 17:49 . 2009-12-04 23:45 16608 ----a-w- c:\windows\gdrv.sys
2010-09-18 19:23 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 20:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 20:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 00:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 00:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2004-08-04 00:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-01 11:51 . 2004-08-04 00:56 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-03 23:17 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 00:56 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-03 23:14 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-02 21:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-24 21:57 . 2010-05-08 01:56 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 21:57 . 2010-05-08 01:56 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 21:57 . 2010-05-08 01:56 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 21:57 . 2010-05-08 01:56 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 21:57 . 2010-05-08 01:56 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 21:57 . 2010-05-08 01:56 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 21:57 . 2010-05-08 01:56 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 21:57 . 2010-05-08 01:56 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 21:57 . 2010-05-08 01:56 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 21:57 . 2010-05-08 01:56 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-23 16:12 . 2004-08-04 00:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 00:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2007-06-13 23:07 . 2007-06-13 23:07 6276080 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2010-08-24 21:57 . 2010-09-13 15:51 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-23_23.45.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-24 17:50 . 2010-10-24 17:50 16384 c:\windows\Temp\Perflib_Perfdata_544.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="]" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/7/2010 6:56 PM 84072]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/4/2009 4:46 PM 68136]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [5/14/2009 1:21 PM 98304]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/7/2010 6:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/7/2010 6:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/7/2010 6:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/7/2010 6:56 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/7/2010 6:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/7/2010 6:56 PM 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/7/2010 6:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2010 7:46 PM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/7/2010 6:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/7/2010 6:56 PM 84264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 6:53 PM 167808]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 02:46]

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 02:46]

2010-10-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1078145449-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-1078145449-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1078145449-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-1078145449-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\aaa\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\aaa\Application Data\Mozilla\Firefox\Profiles\eel9szd2.default\
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_21.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-24 13:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\RtlGina2.dll
.
Completion time: 2010-10-24 13:27:11
ComboFix-quarantined-files.txt 2010-10-24 20:27
ComboFix2.txt 2010-10-23 23:47

Pre-Run: 582,298,083,328 bytes free
Post-Run: 582,275,379,200 bytes free

- - End Of File - - E4CFFFD729645FCCC47DD50F899D584F
Upload was successful



Thank you, Thank you, Thank you!

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 24 October 2010 - 12:58 PM

Yup, seems to have done it successfully. :)

Let's get one online scan and a final checkup on your machine to make sure everything is fine.

Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users