Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware?


  • This topic is locked This topic is locked
27 replies to this topic

#1 needhelp16

needhelp16

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 January 2011 - 01:18 PM

Please see the requested logs in my earlier thread (LINK). Thanks again and happy new year!!

=================
DDS Log
=================

DDS (Ver_10-12-12.02) - NTFSx86
Run by admin at 2:58:47.96 on Sun 01/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1044 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
svchost.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:53453
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08cb -f video -m logitech -d 11.5.0.1145
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209673246091
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sae.webex.com/client/T27LB/webex/ieatgpc.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\5q572yk4.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwdplugin821.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {A4849A4B-8B9B-4602-AA64-BA43BE80B270} - c:\documents and settings\admin\local settings\application data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-5-1 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-5-1 2521880]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-5-1 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-5-1 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-5-1 168776]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-20 517448]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2008-7-29 39424]

=============== Created Last 30 ================

2011-01-01 19:53:29 -------- d-----w- c:\program files\Runtime Software
2010-12-29 21:46:18 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-12-29 21:46:18 -------- d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-12-29 21:46:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-29 20:22:28 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-12-29 20:22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 20:22:24 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-12-29 20:22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 20:22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 19:48:11 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-29 19:47:07 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 19:46:38 -------- d-----w- C:\d626f7d1d9fc54cc6dc5cc85d04b15
2010-12-29 19:45:56 388096 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-29 19:45:51 -------- d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2011-01-02 03:14:44 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-01-02 03:14:42 57752 ----a-w- c:\windows\system32\rpcnet.dll
2011-01-02 03:13:39 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-12-30 05:19:54 57752 ------w- c:\windows\system32\rpcnet.exe
2010-11-20 01:44:38 0 ----a-w- c:\windows\Syepah.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 3:00:15.73 ===============








====================
GEMR log
====================
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-02 10:33:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS722016K9A300 rev.DCDOCA1H
Running: gmer.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\pxlyipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA18A6C0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA18A770] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA18A810] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA18A8B0] <-- ROOTKIT !!!

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB48B935B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB48B92DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB48B9385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB48B92EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB48B931B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB48B93AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB48B92C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB48B936F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB48B9305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB48B9331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB48B93C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB48B9399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B48B939D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP B48B935F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B48B93B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B48B93C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP B48B9373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP B48B9389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B48B9335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B48B9309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B48B92DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B48B92F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B48B931F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B48B92CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? djebeoyo.sys A device attached to the system is not functioning. !
PAGE Ntfs.sys B9D7DE55 4 Bytes CALL 8AB425E1
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8C3A360, 0x30A247, 0xE8000020]
? C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F57
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE004C
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F72
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE006E
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00C1
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00A6
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F0D
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE008B
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F54
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FA1
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FBC
.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00840F72
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00840F83
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00840051
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00840F9E
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00840FC0
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00840095
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00840F4D
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008400CB
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008400BA
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008400DC
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00840FAF
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00840078
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00840036
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00840025
.text C:\WINDOWS\system32\svchost.exe[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00840F32
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00830FB9
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00830040
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00830014
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00830FD4
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0083002F
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00830FE5
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00830F8D
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A3, 88]
.text C:\WINDOWS\system32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00830F9E
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00820F86
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00820FA1
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00820FC6
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00820011
.text C:\WINDOWS\system32\svchost.exe[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00810000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CE0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CE0078
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CE0F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CE0F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CE0047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CE0036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CE0F3C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CE0F57
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CE0F06
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CE0F17
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01CE0EEB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01CE0FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01CE0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01CE0F72
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01CE0FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01CE0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01CE009F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CD0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CD005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CD0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CD0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CD0F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CD0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01CD004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CD0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01CC0FA6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 01CC0FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01CC0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01CC000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01CC0FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01CC001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CB0000
? C:\WINDOWS\System32\svchost.exe[780] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0090
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007F
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB6
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0058
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F59
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F76
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DE
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00CD
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00EF
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00A1
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00B2
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290078
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 0029005D
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FE3
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290038
.text C:\WINDOWS\System32\svchost.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002A000A
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002A0025
.text C:\WINDOWS\System32\svchost.exe[780] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 002A0040
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F72
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F83
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0025
.text C:\WINDOWS\System32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B000A
.text C:\WINDOWS\System32\svchost.exe[780] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410FEF
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01410F41
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01410F5C
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01410040
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01410F83
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410025
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F1F
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01410F30
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01410EE2
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01410EF3
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01410EC7
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410F9E
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01410FDE
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01410051
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410014
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01410FC3
.text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01410F0E
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01400FC0
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0140004A
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01400FE5
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0140001B
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01400F83
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01400000
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01400F94
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, 89]
.text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01400FAF
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013F0011
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 013F0F90
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013F0000
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013F0FEF
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013F0FA1
.text C:\WINDOWS\system32\services.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013F0FD2
.text C:\WINDOWS\system32\services.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\system32\services.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90062
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90F79
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F1A
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F41
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90EDD
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90EF8
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90091
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90F52
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F09
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80079
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8005E
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FBC
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FCD
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00F99
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FBE
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D0002E
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FD9
.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0001D
.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE003D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F48
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F63
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F12
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F2D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0ECB
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0EE6
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EBA
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0058
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F01
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F8A
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0033
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC000C
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40FA5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D4007D
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D4006C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F5C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400A4
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D400F5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D400E4
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40110
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40FC0
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F79
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D4002C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D400C9
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70014
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B7006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60066
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6004B
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6003A
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6001D
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 029D0FEF
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 029D0F3A
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 029D002F
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 029D0F55
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 029D0F72
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 029D000A
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 029D0EFD
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029D0F0E
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 029D008C
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 029D007B
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 029D00B1
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 029D0F83
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 029D0FD4
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 029D0F1F
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 029D0F9E
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 029D0FB9
.text C:\WINDOWS\System32\svchost.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 029D0060
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 029C003D
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 029C009F
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 029C002C
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 029C001B
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 029C008E
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 029C0000
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 029C0069
.text C:\WINDOWS\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 029C0058
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 029B005F
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 029B0044
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 029B0FEF
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 029B000C
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 029B0FD4
.text C:\WINDOWS\System32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 029B001D
.text C:\WINDOWS\System32\svchost.exe[1476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029A0FEF
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02990FE5
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02990FCA
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0299000A
.text C:\WINDOWS\System32\svchost.exe[1476] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 02990FB9
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650080
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500A7
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F5F
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500D3
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500B8
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006500E4
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650F70
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F3A
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640022
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0064005F
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640011
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640FAC
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064004E
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640033
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FAF
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FCA
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0063003A
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0063000C
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063001D
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C007D
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C0062
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0F94
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0FA5
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C003D
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C0F57
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C009F
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00C4
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0F21
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F10
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0FB6
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C008E
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C002C
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F3C
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B001E
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0040
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FCD
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FDE
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F8D
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0F9E
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B002F
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0F9C
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0FAD
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A000C
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A001D
.text C:\WINDOWS\system32\svchost.exe[1608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FDE
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C003B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0F46
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0020
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D53 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F57
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F10
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C004C
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0EE4
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C007D
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0EC9
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0F72
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F2B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0EFF
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F9E
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B005B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0040
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F95
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FA6
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0016
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FB7
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FDE
.text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01B70000
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01B70093
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01B70F9E
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01B70078
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01B70FAF
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01B70040
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01B70F72
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01B700AE
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01B700F0
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01B700DF
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01B7010B
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01B70051
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01B70FE5
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01B70F83
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01B7001B
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01B70FD4
.text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01B70F61
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01B60FD4
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01B60F94
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01B60FE5
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01B6001B
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01B60051
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01B6000A
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01B60040
.text C:\WINDOWS\Explorer.EXE[2028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01B60FB9
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80062
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80047
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F8002C
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80FCD
.text C:\WINDOWS\Explorer.EXE[2028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80011
.text C:\WINDOWS\Explorer.EXE[2028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BC0000
.text C:\WINDOWS\Explorer.EXE[2028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\Explorer.EXE[2028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\Explorer.EXE[2028] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00BC001B
.text C:\WINDOWS\Explorer.EXE[2028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F68
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0053
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0F79
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F3C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F57
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0EEB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F06
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB009F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0082
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F2B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008C0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008C0F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008C0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008C0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008C0F97
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008C000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008C0039
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008C0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008B0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!system 77C293C7 5 Bytes JMP 008B0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008B0029
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008B000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008B0044
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008B0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F83
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F26
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F41
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EE9
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80EFA
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B8009D
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F0B
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FB6
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F6F
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70F8A
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60022
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FBC
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FAB
.text C:\WINDOWS\system32\svchost.exe[2548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FE3
.text C:\Program Files\Mozilla Firefox\firefox.exe[2976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00AE
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0089
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A006C
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F83
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F57
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F21
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A004A
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002F
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\system32\dllhost.exe[3100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00D5
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290058
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290047
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FCD
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290022
.text C:\WINDOWS\system32\dllhost.exe[3100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F79
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F94
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FA5
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\dllhost.exe[3100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[3100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A30087
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A3006C
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A300D0
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A300BF
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A30117
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A30106
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A30F63
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30F9E
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A300A2
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\dllhost.exe[3312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A300EB
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10FA8
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A1000C
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10029
.text C:\WINDOWS\system32\dllhost.exe[3312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F94
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A20FAF
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A20051
.text C:\WINDOWS\system32\dllhost.exe[3312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A20040
.text C:\WINDOWS\system32\dllhost.exe[3312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3336] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10405CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AB00310

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip 891852F0
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\mfetdik \Device\mfetdik 891852F0

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp 891852F0
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp 891852F0
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp 891852F0

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] djebeoyo <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000c7833a8f3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000c7833a8f3@00165309b0cf 0xAF 0x57 0x6D 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\Services\djebeoyo@mrueyjx -1277356862
Reg HKLM\SYSTEM\ControlSet002\Services\djebeoyo@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\djebeoyo@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\djebeoyo@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\djebeoyo@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c7833a8f3
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c7833a8f3@00165309b0cf 0xAF 0x57 0x6D 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\djebeoyo@mrueyjx -1277356862
Reg HKLM\SYSTEM\CurrentControlSet\Services\djebeoyo@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\djebeoyo@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\djebeoyo@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\djebeoyo@Group Boot Bus Extender

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by needhelp16, 02 January 2011 - 01:20 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:15 PM

Posted 02 January 2011 - 04:39 PM

Hello needhelp16 ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 January 2011 - 11:25 PM

Thank you fireman4it. I will wait for your instructions.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:15 PM

Posted 02 January 2011 - 11:58 PM

Hello,

Lets get started cleaning your machine.

1.
We need to Uninstall AVG so that we can run Combofix as it interferes with it.

Uninstall AVG 32 bit


You should be able to remove AVG Anti-Virus via Start > Control Panel > Add or Remove Programs.
If you need instructions on how to do so, please consult: How To Remove An Installed Program From Your Computer

The following instructions can be used to uninstall the program if the uninstall via Add/remove does not work:

  • Download the latest installation file of AVG from their website.
  • After downloading, run the file and choose the Uninstall Product option in the Select Setup Type dialogue.
  • Finish the uninstallation process and restart your computer.



    If this fails as well, you can try to use AVGremover:

  • Download avgremover.exe and save it to your Desktop
  • Run the file avgremover.exe
  • Confirm that you want to uninstall.
  • Wait until the program confirms the removal.
  • Restart your computer.

    AVG should now be removed from your PC.


    Original instructions here:
    http://www.avg.com/faq.num-1119#faq_1119


2.
Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for "save as" and select all files. Save this to your desktop and close notepad.

@echo off
sc stop djebeoyo
sc delete djebeoyo
del remservice.bat 
EXIT
Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system



3.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 02:09 PM

I followed the instructions and had the following problems during the process:

1. After uninstalling AVG and restarting, the system could not start in normal mode and was having blue screen and/or stripes and I finally had to start in safe mode.
2. With ComboFix, even after I had uninstalled AVG and disabled McAfee, it said that they were running but continued with it (I tried to cancel it but it continued).
3. ComboFix did not find recovery console so I asked to install but it said that no internet connection was present. I canceled it and then it started with recovery console installation and completed it successfully.

I think that the system seems to be running fine now. I will restart and check it couple more times just in case something shows up and will report back.

Here is the log from the file
=============================

ComboFix 11-01-03.01 - admin 01/03/2011 12:42:06.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1689 [GMT -6:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\g2mdlhlpx.exe
c:\documents and settings\admin\Local Settings\Application Data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}
c:\documents and settings\admin\Local Settings\Application Data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}\chrome.manifest
c:\documents and settings\admin\Local Settings\Application Data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}\chrome\content\_cfg.js
c:\documents and settings\admin\Local Settings\Application Data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}\chrome\content\overlay.xul
c:\documents and settings\admin\Local Settings\Application Data\{A4849A4B-8B9B-4602-AA64-BA43BE80B270}\install.rdf
c:\windows\system32\0505134.dat
c:\windows\system32\2433899.dat
c:\windows\system32\7957630.dat
c:\windows\system32\9577015.dat
c:\windows\system32\9718357.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-01 19:53 . 2011-01-01 19:53 -------- d-----w- c:\program files\Runtime Software
2010-12-29 21:46 . 2010-12-29 21:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-12-29 21:46 . 2010-12-29 21:46 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2010-12-29 21:46 . 2010-12-29 22:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-29 20:22 . 2010-12-29 20:22 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-12-29 20:22 . 2010-12-29 20:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-12-29 20:22 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 20:22 . 2010-12-29 21:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 20:22 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 19:48 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-29 19:47 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 19:46 . 2010-12-29 19:47 -------- d-----w- C:\d626f7d1d9fc54cc6dc5cc85d04b15
2010-12-29 19:45 . 2010-12-29 19:45 388096 ----a-r- c:\documents and settings\admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-29 19:45 . 2010-12-29 19:45 -------- d-----w- c:\program files\Trend Micro
2010-12-14 02:12 . 2010-12-14 02:12 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 18:49 . 2008-07-15 17:21 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-01-03 18:49 . 2008-07-16 13:54 57752 ----a-w- c:\windows\system32\rpcnet.dll
2011-01-03 18:48 . 2008-07-15 17:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-01-03 17:32 . 2008-05-01 14:10 90112 ----a-w- c:\windows\DUMP7a49.tmp
2011-01-03 17:25 . 2008-05-01 14:10 90112 ----a-w- c:\windows\DUMP70c7.tmp
2010-12-30 05:19 . 2008-07-16 13:47 57752 ------w- c:\windows\system32\rpcnet.exe
2010-11-18 18:12 . 2008-05-01 19:25 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmZIXntpf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmZIXnZP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbMc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbuqc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2006-11-17 18:39 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-17 07:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 08:03 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"usnjsvc"=3 (0x3)
"stllssvr"=3 (0x3)
"SecureStorageService"=3 (0x3)
"rpcnetp"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/1/2008 7:58 AM 2521880]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [7/29/2008 2:09 PM 39424]

--- Other Services/Drivers In Memory ---

*Deregistered* - djebeoyo
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:53453
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\5q572yk4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKLM-Run-RoxioDragToDisc - c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
SafeBoot-aawservice
MSConfigStartUp-Ebudubizebuf - c:\windows\ml2sft32.dll
MSConfigStartUp-MKaoc - c:\windows\debug.exe
MSConfigStartUp-MKasc - c:\windows\drweb.exe
MSConfigStartUp-MKayc - c:\windows\csrss.exe
MSConfigStartUp-MKaZ - c:\windows\cmd.exe
MSConfigStartUp-MKbta - c:\windows\install.exe
MSConfigStartUp-MKbtc - c:\windows\hexdump.exe
MSConfigStartUp-MKcrc - c:\windows\login.exe
MSConfigStartUp-MKcuc - c:\windows\lsass.exe
MSConfigStartUp-MKcZ - c:\windows\mdm.exe
MSConfigStartUp-MKdw+ - c:\windows\nvsvc32.exe
MSConfigStartUp-MKeg - c:\windows\smss.exe
MSConfigStartUp-MKerb - c:\windows\taskmgr.exe
MSConfigStartUp-MKeta - c:\windows\services.exe
MSConfigStartUp-MKetc - c:\windows\sysedit.exe
MSConfigStartUp-3.6 - c:\windows\sysedit.exe
MSConfigStartUp-MKeuf - c:\windows\spoolsv.exe
MSConfigStartUp-MKevc - c:\windows\setup.exe
MSConfigStartUp-MKexe - c:\windows\system.exe
MSConfigStartUp-MKfa - c:\windows\win.exe
MSConfigStartUp-MKfPc - c:\windows\win16.exe
MSConfigStartUp-MKfpe - c:\windows\winamp.exe
MSConfigStartUp-MKfre - c:\windows\wininst.exe
MSConfigStartUp-MKZe - c:\windows\avp.exe
MSConfigStartUp-Tsanor - c:\windows\ixiqejiv.dll
MSConfigStartUp-uPc+MV0NcMJsiv - c:\windows\system32\sk9n3.dll
MSConfigStartUp-uPc+MV0NMcJsiv - c:\windows\system32\m19mq.dll
MSConfigStartUp-uPc+MV0NtOJsiv - c:\windows\system32\vtn5q.dll
AddRemove-Adobe_32fdd767b4383606e8168e834af5d90 - c:\program files\Common Files\Adobe\Installers\32fdd767b4383606e8168e834af5d90\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\djebeoyo]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(932)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rpcnet.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2011-01-03 12:54:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-03 18:54

Pre-Run: 112,835,641,344 bytes free
Post-Run: 113,863,729,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 74E8FE841C9AA10907FFEACEFBB0A1C5

#6 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 04:42 PM

For some reason, after I restarted the system, the internet connection is not working. I tried both wireless and wired in normal and safe modes but it does not work. I have another system that I am working on right now and the connection is fine on that so there is no problem with my internet connection for sure.

Please advise. Thanks again for all the help!!

#7 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 05:13 PM

I restarted again and this time it began to change the screen from normal to black and was hanging there so I manually switched it off after I saw the desktop and started again. Now, I saw blue/pink stripes during the start-up process and same after it as showing the desktop. When i started in safe mode, it was fine but again no internet connection could be made. Finally, I restarted in normal mode and it started without any blue screens but still no internet connection though it shows that it is connected to my wireless network.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:15 PM

Posted 03 January 2011 - 06:33 PM

Hello,

Combofix did not delete anything that would have to do with you Internet Connection.Lets try a couple other things to see if you can get it back.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::c:\windows\system32\drivers\djebeoyo.sys

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:53453

Firefox::
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\5q572yk4.default\
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmZIXntpf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUmZIXnZP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbMc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKbuqc]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\djebeoyo]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=-

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Driver::
djebeoyo


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
  • Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice.
    spacer.gif
  • Go to Start -> Run...
  • In the Open: field type cmd and click OK or hit Enter.
    This will open a Command Prompt.
  • At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  • Exit the Command Prompt.
  • Reboot your PC and try to open any website.


3.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

4.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 09:37 PM

At the end of step 2, I am still not connected to internet. I tried installing MBAM from another computer and could not update the files because of internet connection. I even got the mbam-rules.exe from other computer but running it did not help. I then ran it as it is and it showed no infections. I then thought of again trying the internet and did it with wired connection. Luckily it worked and I was able to repeat the steps with MBAM and got it updated. This time, I found one infection and removed it. I am now running the online scanner and so far it is okay but before I started it, my screen again shows faded blue bars. Hope that it goes away after this. I will update you with the logs in few minutes.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:15 PM

Posted 03 January 2011 - 09:54 PM

Hello,

I see you have alot of services not running.You should let these services run and see if you now have internet services.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"usnjsvc"=3 (0x3)
"stllssvr"=3 (0x3)
"SecureStorageService"=3 (0x3)
"rpcnetp"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 10:52 PM

ComboFix 11-01-03.01 - admin 01/03/2011 19:43:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -6:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\autochk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DJEBEOYO
-------\Service_djebeoyo


((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2011-01-03 21:13 . 2011-01-03 21:13 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Yahoo
2011-01-03 21:12 . 2011-01-03 21:12 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
2011-01-03 21:12 . 2011-01-03 21:12 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Yahoo!
2011-01-01 19:53 . 2011-01-01 19:53 -------- d-----w- c:\program files\Runtime Software
2010-12-29 21:46 . 2010-12-29 21:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-12-29 21:46 . 2010-12-29 21:46 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2010-12-29 21:46 . 2010-12-29 22:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-29 20:22 . 2010-12-29 20:22 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-12-29 20:22 . 2010-12-29 20:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-12-29 20:22 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 20:22 . 2010-12-29 21:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 20:22 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 19:48 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-29 19:47 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 19:46 . 2010-12-29 19:47 -------- d-----w- C:\d626f7d1d9fc54cc6dc5cc85d04b15
2010-12-29 19:45 . 2010-12-29 19:45 388096 ----a-r- c:\documents and settings\admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-29 19:45 . 2010-12-29 19:45 -------- d-----w- c:\program files\Trend Micro
2010-12-14 02:12 . 2010-12-14 02:12 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-04 01:50 . 2008-07-15 17:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-01-04 01:50 . 2008-07-16 13:54 57752 ----a-w- c:\windows\system32\rpcnet.dll
2011-01-04 01:49 . 2010-11-20 01:41 761856 ----a-w- c:\windows\system32\drivers\djebeoyo.sys
2011-01-04 01:30 . 2008-07-15 17:21 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-01-03 17:32 . 2008-05-01 14:10 90112 ----a-w- c:\windows\DUMP7a49.tmp
2011-01-03 17:25 . 2008-05-01 14:10 90112 ----a-w- c:\windows\DUMP70c7.tmp
2010-12-30 05:19 . 2008-07-16 13:47 57752 ------w- c:\windows\system32\rpcnet.exe
2010-11-18 18:12 . 2008-05-01 19:25 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2006-11-17 18:39 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-17 07:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 08:03 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"stllssvr"=3 (0x3)
"SecureStorageService"=3 (0x3)
"rpcnetp"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/1/2008 7:58 AM 2521880]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [7/29/2008 2:09 PM 39424]
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\5q572yk4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: browser.search.order.1 - Search
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 19:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(276)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rpcnet.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2011-01-03 19:54:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-04 01:54
ComboFix2.txt 2011-01-03 18:54

Pre-Run: 113,498,804,224 bytes free
Post-Run: 113,833,365,504 bytes free

- - End Of File - - C9CCE4144359E9B7F06E47917E812823

#12 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 10:53 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5419

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/29/2010 3:32:29 PM
mbam-log-2010-12-29 (15-32-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 325619
Time elapsed: 23 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{B1BA20C1-A503-59BD-F412-03B53A2C8951} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B1BA20C1-A503-59BD-F412-03B53A2C8951} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{B1BA20C1-A503-59BD-F412-03B53A2C8951} (Trojan.Ertfor) -> Value: {B1BA20C1-A503-59BD-F412-03B53A2C8951} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{B1BA20C1-A503-59BD-F412-03B53A2C8951} (Trojan.Ertfor) -> Value: {B1BA20C1-A503-59BD-F412-03B53A2C8951} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\admin\Desktop\dp051309\software\xvidsetup.exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\WSTB\localex86.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

#13 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 10:56 PM

ESET did not find anything and there was no option to save any log. The internet is working fine even in wireless mode but I see thin blue stripes all over the screen. It was not there when I restarted but came back within few minutes.

#14 needhelp16

needhelp16
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 January 2011 - 11:08 PM

When I was shutting down my system, I had "TCSD_WIN32.EXE" error and then the system was finally shut down. Then I restarted and during start up, the stripes came back and then the system crashed after showing blue screen. It game me an option to start normally or in safe mode and I chose normal but same thing happened again. This time, I chose safe mode with networking and the system started but again with stripes all over the screen. The stripes went away now after few minutes. I will try again in normal and safe modes and update with the results.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:15 PM

Posted 03 January 2011 - 11:53 PM

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\djebeoyo.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.

2.
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, go here: Adobe Update Page and scroll down to UPDATES/PROGRAMS. From there download: Adobe Reader X update - multiple languages and save it to your desktop.
  • Double-click the file AdbeRdrUpdX_all_incr.msp on your desktop to start installing the update and follow the prompts.
  • Once the update is done click Exit.
Your Adobe Reader is now up to date!

3.
Please update and run another scan with MalwareBytes. We like seeing all 0's

Things to include in your next reply::
Avenger report
MBAm log
A new DDS log
Do you have a LCD monitor?

Edited by fireman4it, 04 January 2011 - 12:01 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users