Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect


  • This topic is locked This topic is locked
11 replies to this topic

#1 bookmom

bookmom

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 16 April 2011 - 10:20 PM

I have had an ongoing problem with my computer when searching with google, I keep getting redirected to a variety of other websites before getting to the one I wanted. I have attached the hijackthis log. I probably have tons of stuff running that I shouldn't.

Many Thanks!!

Angela

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:12:48 PM, on 4/16/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Windows Live\Mail\wlmail.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101106101535.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GlobeCom_Full_Client_McciTrayApp] "C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe -update activex
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: &Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: &Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF &Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268867818461
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268867868805
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: netmgr.dll taskext.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V9 (AdobeActiveFileMonitor9.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bitrgwiz (bitrgwiz.exe) - Unknown owner - C:\WINDOWS\system32\bitrgwiz.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 14317 bytes

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 17 April 2011 - 12:34 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 bookmom

bookmom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 17 April 2011 - 06:34 PM

Hope this is what you need, thanks for your help

Angela

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Angela at 13:23:56.34 on Sun 04/17/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2519 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Angela\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101106101535.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [GlobeCom_Full_Client_McciTrayApp] "c:\program files\telus\telus support centre\bin\McciTrayApp.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\angela\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\angela\start menu\programs\startup\PowerReg Scheduler V3.exe
IE: &Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: &Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: &Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43a0-0d85-11d4-9908-00400523e39a} c:\program files\siber systems\ai roboform\roboformcomshowtoolbar.html - c:\program files\siber systems\ai roboform\roboformcomshowtoolbar.html\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268867818461
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268867868805
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: netmgr.dll taskext.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-30 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-17 84072]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-3-31 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1753048]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-17 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-17 55840]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2010-3-17 18864]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-17 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-17 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-17 88544]
S2 bitrgwiz.exe;Bitrgwiz;"c:\windows\system32\bitrgwiz.exe" /s /p 27016 --> c:\windows\system32\bitrgwiz.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 136176]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2008-7-29 39424]
S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\angela\locals~1\temp\jnv4_mib.sys --> c:\docume~1\angela\locals~1\temp\jnv4_mib.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-17 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-17 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-17 84264]
.
=============== Created Last 30 ================
.
2011-04-17 03:07:23 388096 ----a-r- c:\docume~1\angela\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-17 03:07:22 -------- d-----w- c:\program files\Trend Micro
2011-04-15 02:45:58 -------- d-----w- c:\docume~1\angela\locals~1\applic~1\ACD Systems
2011-04-15 02:45:57 -------- d-----w- c:\docume~1\angela\applic~1\ACD Systems
2011-04-15 02:44:40 -------- d-----w- c:\program files\common files\ACD Systems
2011-04-15 02:39:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Visan
2011-04-15 02:39:23 -------- d-----w- c:\docume~1\angela\applic~1\Visan
2011-04-12 15:51:46 -------- d-----w- c:\program files\Citrix
2011-04-12 15:51:24 72080 ----a-w- c:\documents and settings\angela\g2mdlhlpx.exe
2011-04-10 02:16:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-10 02:16:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-30 22:31:50 -------- d-----w- c:\program files\File Type Assistant
.
==================== Find3M ====================
.
2011-04-07 07:59:03 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-11 20:37:16 487936 --sh--w- c:\windows\system32\netmgr.dll
2011-03-11 20:37:12 69632 --sh--w- c:\windows\system32\taskext.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 13:25:38.79 ===============



GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-17 16:31:16
Windows 5.1.2600 Service Pack 3
Running: le42ijhi.exe; Driver: C:\DOCUME~1\Angela\LOCALS~1\Temp\kxtcifow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED50F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED5122]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED5178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED50CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED50A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED50B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED510C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED514E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED51A2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED518E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED5162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9ED5166 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9ED517C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9ED5192 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9ED5152 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9ED50A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9ED50BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9ED51A6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9ED5110 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9ED50FA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9ED5126 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9ED50D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8D61000, 0x22F0B7, 0xE8000020]
? C:\DOCUME~1\Angela\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\System32\svchost.exe[220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F68
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB005D
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB004C
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB00B0
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB009F
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F2B
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F3C
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F1A
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0078
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\svchost.exe[220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F57
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA005B
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA002F
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BA0FB9
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 88]
.text C:\WINDOWS\System32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0040
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FC8
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD002E
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FD9
.text C:\WINDOWS\System32\svchost.exe[220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0011
.text C:\WINDOWS\System32\svchost.exe[276] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\System32\svchost.exe[276] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\svchost.exe[276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F5C
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F6D
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20047
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F94
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C2002C
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F24
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20076
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20EF8
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C20091
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C200B6
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FA5
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20000
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F4B
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C2001B
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\System32\svchost.exe[276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F13
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FC3
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60F90
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60014
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60FA1
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60039
.text C:\WINDOWS\System32\svchost.exe[276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60FB2
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50033
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50011
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C50022
.text C:\WINDOWS\System32\svchost.exe[276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50FD7
.text C:\WINDOWS\System32\svchost.exe[276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0015000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0015001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F91
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270086
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270075
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0027004E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700C3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700B2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F31
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700D4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270F20
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0027003D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002700A1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F56
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360084
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360073
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360058
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0036003D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370020
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370F95
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FB0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] Ws2_32.dll!socket 71AB4211 5 Bytes JMP 012A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] Ws2_32.dll!connect 71AB4A07 2 Bytes JMP 10029F50 C:\WINDOWS\system32\netmgr.dll (Games for Windows® - LIVE Splash Screen/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] Ws2_32.dll!connect + 3 71AB4A0A 2 Bytes [57, 9E] {PUSH EDI; SAHF }
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 03CA2D20 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 03CA2C00 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 03CA2EC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 03CA2FC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 012B0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 012B0011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 012B0FDB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 012B0FB6
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FAF
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FCA
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0090
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007F
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0062
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB6
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00D7
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00C6
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B010D
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F74
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F59
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0047
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00AB
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0011
.text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00F2
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FB6
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F79
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0011
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F94
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FA5
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\Explorer.EXE[520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0022
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B005F
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0029
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B003A
.text C:\WINDOWS\Explorer.EXE[520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\Explorer.EXE[520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\Explorer.EXE[520] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0F9E
.text C:\WINDOWS\Explorer.EXE[520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01570FEF
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910025
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090006E
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F83
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F94
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900051
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FC0
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000B0
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0090009F
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F2F
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000D2
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000E3
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FA5
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FE5
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F68
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090002C
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000C1
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0036
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0025
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF006C
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF005B
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0033
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE000C
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00920FD4
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00920025
.text C:\WINDOWS\System32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01460000
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01460FE5
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0146001B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01450FE5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01450075
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0145005A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01450F80
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01450F91
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01450022
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01450F48
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0145009A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01450F15
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01450F26
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014500C9
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01450033
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01450FCA
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01450F6F
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01450011
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01450000
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01450F37
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014A0036
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014A0051
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014A001B
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014A0FE5
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014A0F94
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014A0000
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014A0FA5
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6A, 89] {PUSH -0x77}
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014A0FCA
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01490053
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 01490FC8
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01490027
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01490FEF
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01490042
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0149000C
.text C:\WINDOWS\System32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01480000
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01470FEF
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01470000
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01470FC0
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01470FAF
.text C:\WINDOWS\system32\services.exe[1380] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1380] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F4B
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F70
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F81
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040067
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F1F
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040EFA
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040093
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040EE9
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F3A
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FC3
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[1380] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00750036
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00750FB2
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00750025
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00750FC3
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00750FD4
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [95, 88]
.text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0075005B
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FE3
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FC6
.text C:\WINDOWS\system32\services.exe[1380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1392] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005002F
.text C:\WINDOWS\system32\lsass.exe[1392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040093
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004005B
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F77
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400BF
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F52
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400EB
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040106
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000400A4
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040040
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[1392] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400DA
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D3007D
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D3006C
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D30051
.text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FCF
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070050
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0007002E
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0007003F
.text C:\WINDOWS\system32\lsass.exe[1392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\lsass.exe[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AB0F83
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AB0FA5
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AB0062
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AB0FC0
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AB00A4
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AB0F5C
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AB0F26
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AB0F41
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AB0F15
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AB0047
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AB0011
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AB0093
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AB0FD1
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AB0022
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AB00BF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FCA
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0F8A
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF001B
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0047
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0FAF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0036
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE004E
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FC3
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE002C
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE003D
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0011
.text C:\WINDOWS\system32\svchost.exe[1592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AD0FDB
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AD0011
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC006E
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F79
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC005D
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC008B
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F43
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC0EF2
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F0D
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC00A6
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0F54
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F28
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C5007D
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50062
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50051
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FA1
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FB2
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0018
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FC3
.text C:\WINDOWS\system32\svchost.exe[1668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FDE
.text C:\WINDOWS\system32\svchost.exe[1668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\System32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02290000
.text C:\WINDOWS\System32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02290FD4
.text C:\WINDOWS\System32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02290FE5
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02280FEF
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02280069
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02280058
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02280047
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02280F94
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02280036
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02280F63
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022800AB
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02280F2D
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02280F52
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022800E1
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02280FAF
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02280FDE
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02280084
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02280025
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02280014
.text C:\WINDOWS\System32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022800D0
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0231004A
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02310FB2
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02310025
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0231000A
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02310FC3
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02310FEF
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0231005B
.text C:\WINDOWS\System32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02310FDE
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0230003B
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 02300FA6
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02300FD2
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02300FEF
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02300FC1
.text C:\WINDOWS\System32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0230000C
.text C:\WINDOWS\System32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022B0FE5
.text C:\WINDOWS\System32\svchost.exe[1792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 022A0FEF
.text C:\WINDOWS\System32\svchost.exe[1792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 022A000A
.text C:\WINDOWS\System32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 022A0FD4
.text C:\WINDOWS\System32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 022A0FC3
.text C:\WINDOWS\System32\svchost.exe[1896] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00820000
.text C:\WINDOWS\System32\svchost.exe[1896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00820FE5
.text C:\WINDOWS\System32\svchost.exe[1896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00820011
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00810FEF
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0081007D
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0081006C
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810F94
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810047
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00810FAF
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008100B5
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00810098
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00810F52
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008100EB
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00810106
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00810036
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0081000A
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00810F6D
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00810FCA
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0081001B
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008100D0
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00850040
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0085006C
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0085002F
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00850FEF
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00850FAF
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0085000A
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00850FCA
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 88]
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0085005B
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00840F9F
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840020
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00840FC1
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00840FEF
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00840FB0
.text C:\WINDOWS\System32\svchost.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00840FD2
.text C:\WINDOWS\System32\svchost.exe[1896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00830000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0015001E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0027007F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027006E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F94
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700CB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700B0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700E6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270F4D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270F32
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F79
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0027000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F68
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036002F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FAA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037003F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0037001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0037002E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AF0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AF0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AF0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00AF0FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00B50FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ws2_32.dll!connect 71AB4A07 2 Bytes JMP 10029F50 C:\WINDOWS\system32\netmgr.dll (Games for Windows® - LIVE Splash Screen/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2192] ws2_32.dll!connect + 3 71AB4A0A 2 Bytes [57, 9E] {PUSH EDI; SAHF }
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150FDB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0027004C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F57
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F68
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270F83
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F24
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F35
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270EEE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270F09
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EDD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270F94
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F46
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FC0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0036004E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0036003D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0037002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FA1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FD7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FBC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 03D42D20 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 03D42C00 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 03D42EC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 03D42FC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 012B0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 012B0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 012B0011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 012B0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] Ws2_32.dll!socket 71AB4211 5 Bytes JMP 01AC0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] Ws2_32.dll!connect 71AB4A07 2 Bytes JMP 10029F50 C:\WINDOWS\system32\netmgr.dll (Games for Windows® - LIVE Splash Screen/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] Ws2_32.dll!connect + 3 71AB4A0A 2 Bytes [57, 9E] {PUSH EDI; SAHF }
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F52
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F6D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F8A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F1C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D00A4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0089
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00BF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F37
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C004A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BC, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C0FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0F9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B0FC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B0FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 03B42D20 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 03B42C00 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 03B42EC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 03B42FC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00990FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00990FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00990014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00990FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] Ws2_32.dll!socket 71AB4211 5 Bytes JMP 009A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] Ws2_32.dll!connect 71AB4A07 2 Bytes JMP 10029F50 C:\WINDOWS\system32\netmgr.dll (Games for Windows® - LIVE Splash Screen/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] Ws2_32.dll!connect + 3 71AB4A0A 2 Bytes [57, 9E] {PUSH EDI; SAHF }

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:5760] A3FB8730

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Documents and Settings\All Users\Documents\Pinnacle\Content\MotionTitles\-Looks\Standard\01 \x2013 Soft Shadow Looks.ixLook 1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 17 April 2011 - 09:46 PM

Angela:

Posted Image You have more than one antivirus (AV) program running. Your logs show both AdAware with AV and McAfee running. Running more than one AV program does not offer any more protection and often causes conflicts and slow downs with your computer. Please uninstall either AdAware or McAfee via Control Panel > Add/Remove Programs. Run the removal tool (links below) for whichever app you uninstall also:

McAfee Removal Tool
No tool for AdAware

Posted Image P2P - I see you have P2P software (FrostWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 bookmom

bookmom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 18 April 2011 - 04:06 PM

Here is the log

ComboFix 11-04-17.03 - Angela 04/18/2011 13:38:00.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2837 [GMT -7:00]
Running from: c:\documents and settings\Angela\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Angela\GoToAssistDownloadHelper.exe
c:\documents and settings\Angela\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-18 01:40 . 2011-04-18 01:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-18 01:35 . 2011-04-18 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-04-18 01:20 . 2011-04-18 01:20 -------- d-----w- c:\program files\Microsoft Games
2011-04-17 03:07 . 2011-04-17 03:07 -------- d-----w- c:\program files\Trend Micro
2011-04-15 02:45 . 2011-04-18 01:28 -------- d-----w- c:\documents and settings\Angela\Local Settings\Application Data\ACD Systems
2011-04-15 02:45 . 2011-04-15 02:45 -------- d-----w- c:\documents and settings\Angela\Application Data\ACD Systems
2011-04-12 15:51 . 2011-04-12 15:51 -------- d-----w- c:\program files\Citrix
2011-04-10 02:16 . 2011-04-18 01:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-10 02:16 . 2011-04-18 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-03 18:32 . 2011-04-03 18:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-03-30 22:31 . 2011-03-30 22:31 -------- d-----w- c:\program files\File Type Assistant
2011-03-30 22:27 . 2011-03-30 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 20:37 . 2011-03-11 20:37 487936 --sh--w- c:\windows\system32\netmgr.dll
2011-03-11 20:37 . 2011-03-11 20:37 69632 --sh--w- c:\windows\system32\taskext.dll
2011-03-07 05:33 . 2010-03-17 19:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-03-31 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-03-31 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36 . 2010-11-14 21:48 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2010-11-14 21:48 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2003-03-31 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-03-31 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-18 04:49 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2003-03-31 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2003-03-31 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2003-03-31 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 04:40 . 2010-06-20 19:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19 . 2010-06-20 19:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-03-17 19:57 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-17 19:57 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-17 39408]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2003-02-21 40960]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"GlobeCom_Full_Client_McciTrayApp"="c:\program files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe" [2009-05-27 1528832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Angela\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PowerReg Scheduler V3.exe [2010-3-21 225280]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Angela^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Angela\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"=
"c:\\Program Files\\NX Client for Windows\\nxclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58306:TCP"= 58306:TCP:Pando Media Booster
"58306:UDP"= 58306:UDP:Pando Media Booster
"1037:TCP"= 1037:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2010 10:26 AM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/17/2010 6:02 PM 84072]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/6/2010 3:19 AM 169408]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [3/31/2003 5:00 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/17/2010 6:02 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/17/2010 6:02 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/17/2010 6:02 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/17/2010 6:02 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/17/2010 6:02 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/17/2010 6:02 PM 55840]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/17/2010 6:46 PM 18864]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/17/2010 6:02 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/17/2010 6:02 PM 88544]
S2 bitrgwiz.exe;Bitrgwiz;"c:\windows\system32\bitrgwiz.exe" /s /p 27016 --> c:\windows\system32\bitrgwiz.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/26/2010 8:03 PM 136176]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [7/29/2008 2:09 PM 39424]
S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\Angela\LOCALS~1\Temp\jnv4_mib.sys --> c:\docume~1\Angela\LOCALS~1\Temp\jnv4_mib.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/17/2010 6:02 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/17/2010 6:02 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-HOME-OFFICE-Angela.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 08:25]
.
2011-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 19:50]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 03:03]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-27 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: &Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: &Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-18 13:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-606747145-1004336348-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:37,9a,4c,6c,6e,61,24,06,10,c0,c0,4b,b0,5b,cb,b7,0c,68,af,8d,eb,
a6,1d,45,cf,31,76,56,16,92,27,ed,33,1f,1c,20,52,6b,46,37,31,b1,eb,fe,a2,59,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1304)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-18 13:59:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-18 20:58
.
Pre-Run: 24,461,942,784 bytes free
Post-Run: 25,597,296,640 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 6AA0B18A0C10F76D0A421EC4988D245F

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 18 April 2011 - 04:56 PM

Angela:

Are you still being redirected? Please do this next:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running now?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 bookmom

bookmom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 18 April 2011 - 08:51 PM

I have done the first scan, will do the second shortly. The computer is running much faster and smoothly!!! I tried a couple of searches on google and there was no redirect.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6393

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2011 6:50:04 PM
mbam-log-2011-04-18 (18-50-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 327596
Time elapsed: 3 hour(s), 8 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{e2831ca7-a677-4b9e-82cd-93e97f898af6}\RP432\A0053935.exe (Spyware.Agent) -> Not selected for removal.
c:\WINDOWS\system32\netmgr.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\taskext.dll (Spyware.Agent) -> Quarantined and deleted successfully.
d:\documents and settings\angela goddard\dowloaded programs\sony vegas video 6 keygen\vegas 6 keygen\Vegas6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\documents and settings\angela goddard\dowloaded programs\sony.dvd.architect.v3.0.incl.keygen-ssg\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.

#8 bookmom

bookmom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 18 April 2011 - 11:39 PM

This what the ESET scan showed. This is the file that I didn't delete (as per your instructions) in other scan this evening.


C:\System Volume Information\_restore{E2831CA7-A677-4B9E-82CD-93E97F898AF6}\RP432\A0053935.exe a variant of Win32/Kryptik.LNM trojan

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 24 April 2011 - 08:36 PM

Angela:

I'm so sorry - I missed my notification that you'd replied. Your logs look good! That ESET detection is in your system restore cache and will be removed when we uninstall ComboFix. Now I have some very important cleanup for you to take care of:

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 bookmom

bookmom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 25 April 2011 - 01:12 PM

I've cleaned up the computer and it is working better than it has in a long time, I hear you about the p2p :-) Thank you so much for help, you really are a good Samaritan!!

Cheers

Angela

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 25 April 2011 - 04:15 PM

You're welcome, Angela. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 26 April 2011 - 04:33 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users