Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit that returns after reformat


  • This topic is locked This topic is locked
26 replies to this topic

#1 jg49

jg49

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 16 November 2010 - 10:14 AM

Hello, I am attaching my GMER and DDS logs as directed in another post. I have a laptop that had a rootkit infection a few weeks ago. I followed steps found on here to remove the problem. A week later I get a call that the computer is showing signs of infection again. I decided to reformat. After reformat and re-installation of all the users files and programs it started acting weird again, taking a long time for the desktop to appear was the 1st sign. Also, after reinstall I was given a choice of 2 Windows XP instances to choose from on boot up. I decided before I got further to reformat again right away. This time I didn't copy any of the users files back to the computer and used a flash drive to install Mcafee and XP sp3 instead of connecting to the internet. As soon as I installed XP SP3 it started acting up again. I ran combofix and it detected rootkit activity. So, here I am completely stumped and really hoping for some help.

Thanks,
Jay


DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 8:11:36.75 on Tue 11/16/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.727 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\Administrator\Desktop\Defogger(2).exe
C:\Documents and Settings\Administrator\Desktop\dds(3).scr

============== Pseudo HJT Report ===============

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-13 344712]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-10-22 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-10-22 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-13 69192]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-13 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-13 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-13 66536]

=============== Created Last 30 ================

2010-11-14 01:34:02 -------- d-sha-r- C:\cmdcons
2010-11-14 01:32:13 -------- d-----w- C:\ComboFix
2010-11-14 01:31:02 -------- d-----w- c:\windows\pss
2010-11-14 01:14:58 -------- d-----w- c:\windows\system32\PreInstall
2010-11-14 01:08:18 -------- d-----w- C:\QUARANTINE
2010-11-14 00:54:27 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2010-11-14 00:54:27 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2010-11-14 00:54:27 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2010-11-14 00:54:26 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2010-11-14 00:54:26 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2010-11-14 00:53:45 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-11-14 00:22:41 76024 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-14 00:22:41 66536 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-14 00:22:41 43192 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-14 00:22:40 91896 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-14 00:22:40 69192 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-14 00:22:40 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-11-14 00:22:40 344712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-11-14 00:22:19 -------- d-----w- c:\program files\common files\Cisco Systems
2010-11-14 00:22:11 -------- d-----w- c:\program files\McAfee
2010-11-14 00:22:11 -------- d-----w- c:\program files\common files\McAfee
2010-11-13 05:24:15 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-13 05:12:25 160256 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2010-11-13 05:12:25 160256 ----a-r- c:\windows\system32\drivers\b57xp32.sys
2010-11-13 05:12:18 -------- d-----w- c:\program files\Broadcom
2010-11-13 04:52:56 -------- d-----w- c:\windows\ServicePackFiles
2010-11-13 04:52:43 294912 ------w- c:\program files\windows media player\dlimport.exe
2010-11-13 04:52:39 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-11-13 04:49:54 19569 ----a-w- c:\windows\002900_.tmp
2010-11-13 04:34:10 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys
2010-11-13 04:23:12 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-11-13 04:23:11 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-11-13 04:23:10 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-11-13 04:23:07 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-11-13 04:23:06 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-11-13 04:23:05 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-11-13 04:23:05 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-11-13 04:23:04 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-11-13 04:23:03 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-11-13 04:23:02 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-11-13 04:23:01 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-11-13 04:22:57 90112 ----a-w- c:\windows\system32\stacsv.exe
2010-11-13 04:22:57 4939776 ----a-w- c:\windows\system32\stacgui.cpl
2010-11-13 04:22:57 303104 ----a-w- c:\windows\stsystra.exe
2010-11-13 04:22:57 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-11-13 04:22:55 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-11-13 04:22:55 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-11-13 04:22:55 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-11-13 04:22:50 142848 ----a-w- c:\windows\system32\staco.dll
2010-11-13 04:22:48 266240 ----a-w- c:\windows\system32\stacapi.dll
2010-11-13 04:22:48 1228296 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-11-13 04:22:48 -------- d-----w- c:\program files\SigmaTel
2010-11-13 04:21:38 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2010-11-13 04:21:38 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2010-11-13 04:21:38 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2010-11-13 04:21:38 303104 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2010-11-13 04:21:38 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2010-11-13 04:21:38 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2010-11-13 04:21:38 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2010-11-13 04:17:29 -------- d-----w- c:\program files\CONEXANT
2010-11-13 04:15:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-13 04:14:06 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-11-13 04:14:06 172032 ----a-w- c:\windows\system32\Uci32114.dll
2010-11-13 04:14:06 12672 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-11-13 04:14:05 209152 ----a-w- c:\windows\system32\drivers\HSFHWAZL.sys
2010-11-13 04:14:04 989696 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2010-11-13 04:14:04 730112 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-11-13 04:04:46 -------- d-----w- c:\program files\Digital Line Detect

==================== Find3M ====================

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-23 01:07:00 20768 ----a-w- c:\windows\system32\MFEOtlk.dll

============= FINISH: 8:12:41.01 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/12/2010 10:28:23 PM
System Uptime: 11/16/2010 7:58:14 AM (1 hours ago)

Motherboard: Dell Inc. | | 0UY141
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 68.435 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/12/2010 10:30:47 PM - System Checkpoint
RP2: 11/12/2010 10:44:14 PM - Installed Dell Resource CD.
RP3: 11/12/2010 10:48:59 PM - Installed OZ776 SCR Driver V1.1.3.9
RP4: 11/12/2010 11:04:48 PM - Installed Digital Line Detect
RP5: 11/12/2010 11:04:50 PM - Installed Digital Line Detect
RP6: 11/12/2010 11:15:28 PM - Installed Windows XP KB888111WXPSP2.
RP7: 11/12/2010 11:23:16 PM - Installed SigmaTel Audio
RP8: 11/12/2010 11:49:57 PM - Installed Windows XP Service Pack 3.
RP9: 11/13/2010 12:12:09 AM - Installed Broadcom Gigabit Integrated Controller.
RP10: 11/13/2010 7:22:30 PM - Installed McAfee VirusScan Enterprise
RP11: 11/13/2010 8:14:46 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Broadcom Gigabit Integrated Controller
Conexant HDA D330 MDC V.92 Modem
Dell Resource CD
Dell Wireless WLAN Card
Digital Line Detect
High Definition Audio Driver Package - KB888111
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
NVIDIA Drivers
OZ776 SCR Driver V1.1.3.9
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB979309)
SigmaTel Audio
Update for Windows XP (KB898461)
WebFldrs XP
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/13/2010 7:50:20 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
11/12/2010 10:49:10 PM, error: SCardSvr [616] - Reader monitor 'O2Micro CCID SC Reader 0' received uncaught error code: The device does not recognize the command.
11/12/2010 10:49:10 PM, error: SCardSvr [612] - Reader insertion monitor error retry threshold reached: The device does not recognize the command.
11/12/2010 10:47:27 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\drivers\usbhub.sys could not be copied into the DLL cache. The specific error code is 0x00000000 [The operation completed successfully. ]. This file is necessary to maintain system stability.
11/12/2010 10:47:27 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\usbui.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
11/12/2010 10:46:14 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\drivers\usbehci.sys could not be copied into the DLL cache. The specific error code is 0x00000000 [The operation completed successfully. ]. This file is necessary to maintain system stability.
11/12/2010 10:28:33 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

==== End Of File ===========================
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-16 09:17:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST980813AS rev.3.ADC
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fgdiqpow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF73489A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7348940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF7348954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73489BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73489E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7348A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7348A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF7348A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7348AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF7348A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7348992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7348904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7348918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF7348AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7348A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF7348A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73489D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7348ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7348AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF734897E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF734896A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73489FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7348B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7348A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7348B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7348AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 1 Byte [E9]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6C63380, 0x2F2807, 0xE8000020]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xF783EE34]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 0073002F
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007009D
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F26
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F15
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007008C
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700AE
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005D
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005002E
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00AA0025
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F9B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90086
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90FAC
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90069
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90044
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900B5
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90F6F
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F26
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A90F37
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A900DA
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A90FBD
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A90F80
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A90033
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A90022
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A90F52
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A80F72
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A80F8D
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A80F9E
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70038
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A7001D
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A7000C
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FAD
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FD2
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F80
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B6007F
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B6006E
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60FA5
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F65
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B600A1
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B60F32
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F43
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B600E6
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B60051
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B60090
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B60F54
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B5006C
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B50FC0
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D5, 88] {AAD 0x88}
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B5003D
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40F9C
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40027
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FC1
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40016
.text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F44
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F55
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F94
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F18
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA005E
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EF6
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F07
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA0EE5
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0F83
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FDB
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0F33
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA007B
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90F9E
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80061
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80050
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B8002E
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B8003F
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 030A0000
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 030A0FD1
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 030A0011
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F60FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F60F30
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F60F4B
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F60F68
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F60025
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F60FA8
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F60EF3
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F60F04
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F60082
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F60067
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02F60093
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02F60F8D
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02F6000A
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02F60F15
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02F60FC3
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02F60FD4
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02F60056
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02F50FD4
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02F50F9E
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02F5001B
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02F50000
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02F50FB9
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02F50FEF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02F50051
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02F50040
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02EC0F95
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 02EC0FB0
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02EC0FC1
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02EC0FEF
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02EC0016
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02EC0FD2
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 3 Bytes JMP 02370FEF
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket + 4 71AB4215 1 Byte [90]
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 02EA001B
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 02EA0000
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 02EA0FD9
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 02EA0FBE
.text C:\WINDOWS\Explorer.EXE[1300] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00EE000A
.text C:\WINDOWS\Explorer.EXE[1300] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00EE001B
.text C:\WINDOWS\Explorer.EXE[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED007D
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F92
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED006C
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FAF
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0047
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED0F77
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED00B3
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00EE
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F55
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00ED00FF
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00ED0FC0
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00ED000A
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00ED00A2
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00ED0036
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00ED001B
.text C:\WINDOWS\Explorer.EXE[1300] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00ED0F66
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E40F57
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E4000A
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E40F68
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E40F79
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\Explorer.EXE[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E40F94
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30049
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30038
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30016
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FE3
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30027
.text C:\WINDOWS\Explorer.EXE[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FD2
.text C:\WINDOWS\Explorer.EXE[1300] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00E20000
.text C:\WINDOWS\Explorer.EXE[1300] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\Explorer.EXE[1300] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\Explorer.EXE[1300] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00E2001D
.text C:\WINDOWS\Explorer.EXE[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 007D0022
.text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 007D0011
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F52
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F6D
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0047
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0F2B
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C007D
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C0EF5
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C0F10
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007C00A9
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007C0F9E
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007C0062
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007C0FB9
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007C0FCA
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007C0098
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007B0014
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007B0040
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007B0FCD
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007B0F9E
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [9B, 88]
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007B0025
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0FB7
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0FC8
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A001D
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0038
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A000C
.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6005B
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D6004A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F70
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60F8D
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60F9E
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F29
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F3A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600AE
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D6009D
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D60EF0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D6002F
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D60F4B
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D60014
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D60082
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D50FC3
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D50065
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D5004A
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D50039
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D50FB2
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D4005A
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40049
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FD9
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40038
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D4001D
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenW 771BAF29 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenA 771C578E 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 771C5A5A 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 771D5B72 5 Bytes JMP 00D30FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00EE0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00EE000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00EE0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F8A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0073
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00AB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0F6F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0F37
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F48
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00ED0F26
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00ED0058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00ED0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00ED009A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00ED003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00ED0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00ED00C6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EC0FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EC0F61
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EC0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EC0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EC0F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EC0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EC0F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [0C, 89] {OR AL, 0x89}
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EC0FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0FA1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FD7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00CA0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00CA0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00CA000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F5E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F6F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FC0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C9006E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900BF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900AE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C90F0B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C90FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90FD1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C90022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C90F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C80FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C8001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C8000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C80FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes CALL C89FEDB5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C7003A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70029
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 24 November 2010 - 03:45 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 November 2010 - 11:25 AM

Thanks for getting back to me. Here are the requested logs.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Administrator at 11:11:57.85 on Wed 11/24/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.713 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\SoftwareDistribution\Download\0849b0f65b60bb74a53017c98ec00a15\update\update.exe

============== Pseudo HJT Report ===============

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-13 344712]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-13 69192]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-10-22 22816]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-10-22 66880]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-13 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-13 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-13 66536]

=============== Created Last 30 ================

2010-11-16 19:36:23 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-16 19:36:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 19:36:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 19:36:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-16 19:36:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-14 01:34:02 -------- d-sha-r- C:\cmdcons
2010-11-14 01:32:13 -------- d-----w- C:\ComboFix
2010-11-14 01:31:02 -------- d-----w- c:\windows\pss
2010-11-14 01:14:58 -------- d-----w- c:\windows\system32\PreInstall
2010-11-14 01:08:18 -------- d-----w- C:\QUARANTINE
2010-11-14 00:54:27 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2010-11-14 00:54:27 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2010-11-14 00:54:27 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2010-11-14 00:54:26 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2010-11-14 00:54:26 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2010-11-14 00:53:45 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-11-14 00:22:41 76024 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-14 00:22:41 66536 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-14 00:22:41 43192 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-14 00:22:40 91896 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-14 00:22:40 69192 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-14 00:22:40 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-11-14 00:22:40 344712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-11-14 00:22:19 -------- d-----w- c:\program files\common files\Cisco Systems
2010-11-14 00:22:11 -------- d-----w- c:\program files\McAfee
2010-11-14 00:22:11 -------- d-----w- c:\program files\common files\McAfee
2010-11-13 05:24:15 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-13 05:12:25 160256 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2010-11-13 05:12:25 160256 ----a-r- c:\windows\system32\drivers\b57xp32.sys
2010-11-13 05:12:18 -------- d-----w- c:\program files\Broadcom
2010-11-13 04:52:56 -------- d-----w- c:\windows\ServicePackFiles
2010-11-13 04:52:43 294912 ------w- c:\program files\windows media player\dlimport.exe
2010-11-13 04:52:39 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-11-13 04:49:54 19569 ----a-w- c:\windows\002900_.tmp
2010-11-13 04:34:10 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys
2010-11-13 04:23:12 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-11-13 04:23:11 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-11-13 04:23:10 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-11-13 04:23:07 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-11-13 04:23:06 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-11-13 04:23:05 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-11-13 04:23:05 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-11-13 04:23:04 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-11-13 04:23:03 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-11-13 04:23:02 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-11-13 04:23:01 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-11-13 04:22:57 90112 ----a-w- c:\windows\system32\stacsv.exe
2010-11-13 04:22:57 4939776 ----a-w- c:\windows\system32\stacgui.cpl
2010-11-13 04:22:57 303104 ----a-w- c:\windows\stsystra.exe
2010-11-13 04:22:57 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-11-13 04:22:55 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-11-13 04:22:55 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-11-13 04:22:55 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-11-13 04:22:50 142848 ----a-w- c:\windows\system32\staco.dll
2010-11-13 04:22:48 266240 ----a-w- c:\windows\system32\stacapi.dll
2010-11-13 04:22:48 1228296 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-11-13 04:22:48 -------- d-----w- c:\program files\SigmaTel
2010-11-13 04:21:38 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2010-11-13 04:21:38 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2010-11-13 04:21:38 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2010-11-13 04:21:38 303104 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2010-11-13 04:21:38 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2010-11-13 04:21:38 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2010-11-13 04:21:38 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2010-11-13 04:17:29 -------- d-----w- c:\program files\CONEXANT
2010-11-13 04:15:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-13 04:14:06 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-11-13 04:14:06 172032 ----a-w- c:\windows\system32\Uci32114.dll
2010-11-13 04:14:06 12672 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-11-13 04:14:05 209152 ----a-w- c:\windows\system32\drivers\HSFHWAZL.sys
2010-11-13 04:14:04 989696 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2010-11-13 04:14:04 730112 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-11-13 04:04:46 -------- d-----w- c:\program files\Digital Line Detect

==================== Find3M ====================

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-23 01:07:00 20768 ----a-w- c:\windows\system32\MFEOtlk.dll

============= FINISH: 11:12:31.76 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/12/2010 10:28:23 PM
System Uptime: 11/24/2010 11:01:04 AM (0 hours ago)

Motherboard: Dell Inc. | | 0UY141
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 68.919 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/12/2010 10:30:47 PM - System Checkpoint
RP2: 11/12/2010 10:44:14 PM - Installed Dell Resource CD.
RP3: 11/12/2010 10:48:59 PM - Installed OZ776 SCR Driver V1.1.3.9
RP4: 11/12/2010 11:04:48 PM - Installed Digital Line Detect
RP5: 11/12/2010 11:04:50 PM - Installed Digital Line Detect
RP6: 11/12/2010 11:15:28 PM - Installed Windows XP KB888111WXPSP2.
RP7: 11/12/2010 11:23:16 PM - Installed SigmaTel Audio
RP8: 11/12/2010 11:49:57 PM - Installed Windows XP Service Pack 3.
RP9: 11/13/2010 12:12:09 AM - Installed Broadcom Gigabit Integrated Controller.
RP10: 11/13/2010 7:22:30 PM - Installed McAfee VirusScan Enterprise
RP11: 11/13/2010 8:14:46 PM - Software Distribution Service 3.0
RP12: 11/16/2010 8:37:58 AM - System Checkpoint
RP13: 11/24/2010 11:03:21 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Broadcom Gigabit Integrated Controller
Conexant HDA D330 MDC V.92 Modem
Dell Resource CD
Dell Wireless WLAN Card
Digital Line Detect
High Definition Audio Driver Package - KB888111
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
NVIDIA Drivers
OZ776 SCR Driver V1.1.3.9
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
SigmaTel Audio
Update for Windows XP (KB898461)
WebFldrs XP
Windows XP Service Pack 3

==== End Of File ===========================
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF6C4C000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6729728 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 101.19 )
0xBF9D5000 C:\WINDOWS\System32\nv4_disp.dll 5468160 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 101.19 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF5845000 C:\WINDOWS\system32\drivers\sthda.sys 1175552 bytes (SigmaTel, Inc., NDRC)
0xF56FB000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF5648000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF6B58000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 606208 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF73C1000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF5461000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6A2C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF5594000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF7327000 mfehidk.sys 339968 bytes (McAfee, Inc., McAfee Link Driver)
0xBABE9000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xB9E6C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF57ED000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF6A8A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7515000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xBAC63000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7394000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF6B2D000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB9966000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF54F9000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6BEC000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF5546000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF556E000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF5821000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6C14000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6B0A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF5524000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7477000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74C7000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74E6000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF737A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74AF000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF5449000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7497000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF744E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6ACB000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xBA9CC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6C38000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF55ED000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C3000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7465000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7504000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6ABA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF76E4000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7754000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7714000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7654000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7734000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF69C4000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF77F4000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7764000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBACC8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF77E4000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7664000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7814000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF76F4000 C:\WINDOWS\System32\Drivers\oz776.sys 57344 bytes (O2Micro, O2Micro USB CCID SmartCard Reader)
0xF76A4000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7724000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7774000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7684000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7794000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7834000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7744000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7674000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7784000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7644000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF77D4000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF77C4000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7694000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7704000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF77A4000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7824000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB9A38000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF69D4000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78D4000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7974000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF79AC000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7934000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF79E4000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF78C4000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF794C000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7944000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF792C000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF799C000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF79A4000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF78CC000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7964000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF796C000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7954000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF79F4000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7A5C000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7AFC000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBAC98000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xF7B20000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBAF1C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7AF4000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF54E9000 C:\WINDOWS\System32\Drivers\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF7A54000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A58000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF54D5000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7B04000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF72DF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B00000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7B5A000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7BAE000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B58000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B44000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B5C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B5E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B4C000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B52000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B46000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7CB8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C80000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D2B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C0C000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0xBA7656E8 Unknown thread object [ ETHREAD 0x8604BAF8 ] , 600 bytes
0xB8E596E8 Unknown thread object [ ETHREAD 0x85CE2DA8 ] , 600 bytes
0xB8F0A6E8 Unknown thread object [ ETHREAD 0x85F9B4C8 ] , 600 bytes
0xB8E596E8 Unknown thread object [ ETHREAD 0x85CE7020 ] , 600 bytes
0xB8E596E8 Unknown thread object [ ETHREAD 0x8602B020 ] , 600 bytes

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 24 November 2010 - 12:10 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 November 2010 - 12:36 PM

Here is the Combofix log. When I ran it I got the message, "combofix has detected rootkit activivity and needs to reboot". I rebooted and the scan ran when the computer was back up.


ComboFix 10-11-23.05 - Administrator 11/24/2010 12:26:57.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.750 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
.

2010-11-14 01:08 . 2010-11-24 17:26 -------- d-----w- C:\QUARANTINE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 01:07 . 2010-10-23 01:07 20768 ----a-w- c:\windows\system32\MFEOtlk.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-14_01.11.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-11-13 04:49 . 2007-08-11 01:46 17272 c:\windows\system32\spmsg.dll
+ 2010-11-13 04:49 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 10:00 . 2010-11-24 17:15 40394 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-11-14 00:56 40394 c:\windows\system32\perfc009.dat
- 2010-11-13 03:20 . 2008-04-14 10:42 91648 c:\windows\system32\mtxoci.dll
+ 2010-11-13 03:20 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-04 10:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2004-08-04 10:00 . 2008-04-14 10:42 66560 c:\windows\system32\mtxclu.dll
+ 2010-11-13 03:20 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2010-11-13 03:20 . 2008-04-14 10:42 58880 c:\windows\system32\msdtclog.dll
+ 2010-11-16 19:36 . 2010-04-29 20:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-11-16 19:36 . 2010-04-29 20:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-11-14 00:54 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2010-11-14 00:54 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2010-11-14 00:54 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2010-11-14 00:53 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 10:00 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2004-08-04 10:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
- 2004-08-04 10:00 . 2010-11-14 00:56 312172 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2010-11-24 17:15 312172 c:\windows\system32\perfh009.dat
- 2010-11-13 03:20 . 2008-04-14 10:42 161792 c:\windows\system32\msdtcuiu.dll
+ 2010-11-13 03:20 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
+ 2010-11-13 03:20 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2010-11-13 03:20 . 2008-04-14 10:42 956928 c:\windows\system32\msdtctm.dll
+ 2010-11-13 03:20 . 2008-06-13 00:53 428032 c:\windows\system32\msdtcprx.dll
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2010-11-14 00:54 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2010-11-14 00:54 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-13 00:53 . 2008-06-13 00:53 428032 c:\windows\system32\dllcache\msdtcprx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-11-12 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [10/22/2010 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/13/2010 7:22 PM 69192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/13/2010 7:22 PM 66536]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-24 12:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-24 12:31:10
ComboFix-quarantined-files.txt 2010-11-24 17:31
ComboFix2.txt 2010-11-14 01:50
ComboFix3.txt 2010-11-14 01:12
ComboFix4.txt 2010-11-13 03:38

Pre-Run: 73,860,976,640 bytes free
Post-Run: 73,859,457,024 bytes free

- - End Of File - - C0115BA6E17CE17BAB45642E51C745EF

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 24 November 2010 - 04:13 PM

Hello Jay

I have a few questions.

what signs are you talking about the computer having?

is this computer yours? It don't matter to me but will change my instructions but I suspect what is going on

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 November 2010 - 04:22 PM

It is a work computer. The problems started when suddenly the user noticed some whitesmoke shortcuts appear on their desktop. The computer was going really slow. I reformatted and after installing everything it started getting really slow again and then I ran combofix which detected rootkit activity soon after reinstallation.

#8 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 November 2010 - 04:24 PM

Actually, this morning I had another user tell me they were having problems and they had the whitesmoke shortcuts as well. I'm hoping this new one will be easier to clean up than the last one.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 24 November 2010 - 04:34 PM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 November 2010 - 04:42 PM

I am away from this computer now until Monday morning. I will carry out the next steps then. You said you suspect what the problem is? Thanks again for all your help so far.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 24 November 2010 - 05:10 PM

11/29
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 27 November 2010 - 11:30 PM

11/29
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 29 November 2010 - 09:27 AM

I'm back. Thanks for sticking with me. Here are the requested logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/29/2010 9:22:58 AM
mbam-log-2010-11-29 (09-22-58).txt

Scan type: Quick scan
Objects scanned: 130249
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:25:53 AM, on 11/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4387 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:31 AM

Posted 29 November 2010 - 12:16 PM

Hello

the network that this computer is on is a big network

we are going to check the router

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 29 November 2010 - 01:12 PM

The network that I am on now is not the network that this computer was on when the infection happened. Should I run this on that network? I'll post the results of the scan on the network I am attached to now.



Windows IP Configuration



Host Name . . . . . . . . . . . . : north_20

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : keystone.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : keystone.com

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1C-23-B7-07-36

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.134

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.2

DNS Servers . . . . . . . . . . . : 192.168.0.2

Primary WINS Server . . . . . . . : 192.168.0.2

Lease Obtained. . . . . . . . . . : Monday, November 29, 2010 9:13:54 AM

Lease Expires . . . . . . . . . . : Wednesday, December 01, 2010 9:13:54 AM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-1D-60-A8-FC-F9

Server: server_1.keystone.com
Address: 192.168.0.2

Name: google.com
Addresses: 72.14.204.104, 72.14.204.147, 72.14.204.99, 72.14.204.103

Server: server_1.keystone.com
Address: 192.168.0.2

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging google.com [72.14.204.104] with 32 bytes of data:



Reply from 72.14.204.104: bytes=32 time=224ms TTL=51

Reply from 72.14.204.104: bytes=32 time=236ms TTL=51



Ping statistics for 72.14.204.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 224ms, Maximum = 236ms, Average = 230ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=311ms TTL=51

Reply from 72.30.2.43: bytes=32 time=314ms TTL=51



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 311ms, Maximum = 314ms, Average = 312ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c 23 b7 07 36 ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 1d 60 a8 fc f9 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.134 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.134 192.168.0.134 20
192.168.0.134 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.134 192.168.0.134 20
224.0.0.0 240.0.0.0 192.168.0.134 192.168.0.134 20
255.255.255.255 255.255.255.255 192.168.0.134 192.168.0.134 1
255.255.255.255 255.255.255.255 192.168.0.134 3 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users