Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware removal


  • This topic is locked This topic is locked
19 replies to this topic

#1 john-mark-7

john-mark-7

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 01 June 2011 - 05:34 PM

I incorrectly put browser hijacker in the subject. I have run malwarebytes and removed 9 trojans
but now I get "can not obtain ip address" if I use a static address I can ping but dns does not work.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:20:14 PM, on 6/1/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\PLFSetL.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jillana Del Campo\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jillana Del Campo\Desktop\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: CNET TechTracker.lnk = C:\Documents and Settings\Jillana Del Campo\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://71.157.145.90:8222/activex/AMC.cab
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{518850E7-C50D-46AA-AB4C-51380D38B562}: NameServer = 68.105.28.12,68.105.29.12
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

--
End of file - 14127 bytes

I removed multiple trojans from a windows xp netbook. The computer works ok except that it can not obtain a dhcp ip address. If I assign a fixed ip address. I can ping but dns does not work. I have attempted to fix the tcp/ip stack with lsp fix which found bmnet.dll and removed it. The PC still has the same troubles.

.

DDS (Ver_2011-06-01.06) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Jillana Del Campo at 20:19:05 on 2011-06-01

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.506 [GMT -7:00]

.

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\PLFSetL.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Jillana Del Campo\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jillana Del Campo\Desktop\HijackThis.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\rundll32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig?hl=en&gl=us

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [<NO NAME>]

mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a

StartupFolder: c:\docume~1\jillan~1\startm~1\programs\startup\cnette~1.lnk - c:\documents and settings\jillana del campo\application data\cbs interactive\cnet techtracker\TechTracker.exe

StartupFolder: c:\docume~1\jillan~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\jillan~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: bmnet.dll

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://71.157.145.90:8222/activex/AMC.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{518850E7-C50D-46AA-AB4C-51380D38B562} : NameServer = 68.105.28.12,68.105.29.12

TCP: Interfaces\{82918BFE-AD82-483A-96B3-3EFCB3318589} : DhcpNameServer = 192.168.1.254

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jillana del campo\application data\mozilla\firefox\profiles\9oav2863.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-1 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-1 198432]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-1 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-1 144704]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-1 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-1 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-1 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-1 40552]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 135664]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2010-7-27 121416]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 135664]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-1 34248]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 197504]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148992]

.

=============== Created Last 30 ================

.

2011-05-31 20:26:10 -------- d-----w- c:\program files\McAfee Security Scan

2011-05-31 20:26:10 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan

2011-05-31 17:18:30 -------- d-----w- c:\documents and settings\jillana del campo\application data\Malwarebytes

2011-05-31 17:17:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-31 17:17:46 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-31 17:17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-31 17:17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-30 00:46:55 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-30 00:46:55 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-14 18:22:58 0 ---ha-w- c:\windows\Cyateqijolozik.bin

2011-05-14 18:22:56 -------- d-----w- c:\documents and settings\jillana del campo\local settings\application data\{7FFDBBD2-BA56-4BA1-B50C-E150E786EACE}

.

==================== Find3M ====================

.

2011-05-31 16:58:57 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

.

============= FINISH: 20:20:45.34 ===============

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-02 09:07:07

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.11.0

Running: gmer.exe; Driver: C:\DOCUME~1\JILLAN~1\LOCALS~1\Temp\awkyraob.sys





---- System - GMER 1.0.15 ----



Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA0AB78A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA0AB821]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA0AB738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA0AB74C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA0AB835]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA0AB861]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAA0AB8CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA0AB8B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA0AB7CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA0AB8FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA0AB80D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA0AB710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA0AB724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA0AB79E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA0AB937]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA0AB8A3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA0AB88D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA0AB84B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA0AB923]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA0AB90F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA0AB776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA0AB762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA0AB877]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA0AB7F9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA0AB8E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA0AB7E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA0AB7B4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess



---- Kernel code sections - GMER 1.0.15 ----



.text ntoskrnl.exe!ZwYieldExecution 80515AB2 7 Bytes JMP AA0AB7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 5 Bytes JMP AA0AB811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryValueKey 80572F19 7 Bytes JMP AA0AB891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtCreateFile 80573DFB 5 Bytes JMP AA0AB78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtSetInformationProcess 80574B1F 5 Bytes JMP AA0AB766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateKey 80578AB4 5 Bytes JMP AA0AB825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A7A9 5 Bytes JMP AA0AB7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtMapViewOfSection 8057AC21 7 Bytes JMP AA0AB7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryKey 8057EC02 7 Bytes JMP AA0AB93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwEnumerateKey 8057F002 7 Bytes JMP AA0AB8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057F56B 7 Bytes JMP AA0AB7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenProcess 8057F93A 5 Bytes JMP AA0AB714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetValueKey 80580088 7 Bytes JMP AA0AB87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B9EC 7 Bytes JMP AA0AB750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwTerminateProcess 8058E8B1 5 Bytes JMP AA0AB7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590232 7 Bytes JMP AA0AB8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenThread 80596743 5 Bytes JMP AA0AB728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwNotifyChangeKey 80596D8A 5 Bytes JMP AA0AB8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwDeleteValueKey 805991E8 7 Bytes JMP AA0AB865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwDeleteKey 8059A5C9 7 Bytes JMP AA0AB839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcess 805C7A4D 5 Bytes JMP AA0AB73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetContextThread 80635EFB 5 Bytes JMP AA0AB77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnloadKey 80655A96 7 Bytes JMP AA0AB8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 806563CF 7 Bytes JMP AA0AB8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwRenameKey 8065684C 7 Bytes JMP AA0AB84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwRestoreKey 80656D3D 5 Bytes JMP AA0AB913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwReplaceKey 806571A8 5 Bytes JMP AA0AB927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)



---- User code sections - GMER 1.0.15 ----



.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760FEF

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760F77

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760F92

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0076006C

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0076005B

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0076002F

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760F3A

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760F4B

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00760EF3

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760F0E

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00760ECE

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760040

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760000

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760F5C

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00760FB9

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FD4

.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00760F29

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00790FDE

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0079006C

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0079002F

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790FEF

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0079005B

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0079000A

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00790FB9

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 88]

.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00790040

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780033

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780FA8

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780FD7

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780000

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780022

.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780011

.text C:\WINDOWS\system32\services.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00770000

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F79

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F94

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0062

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FA5

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FCA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00A4

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F68

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00DA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00BF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F26

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0047

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0011

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0089

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FDB

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F41

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF001B

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F9E

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FD4

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF005B

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0040

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB9

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE004C

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0031

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE000C

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC1

.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2

.text C:\WINDOWS\system32\lsass.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FE5

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024E0000

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024E0F81

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024E0F92

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024E0FAF

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024E006C

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024E0FDB

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024E0F5C

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024E00A4

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024E0F30

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024E0F41

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024E0F1F

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024E0FCA

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024E001B

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024E0087

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024E0051

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024E0040

.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024E00BF

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025B0FDB

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025B0F83

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025B002C

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025B001B

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025B0F94

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025B000A

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025B0FAF

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7B, 8A] {JNP 0xffffffffffffff8c}

.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025B0FCA

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025A0F9F

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 025A0FB0

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025A0FD2

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025A0000

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025A0FC1

.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025A0FEF

.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02590FEF

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0FEF

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0076

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0065

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0F81

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0FA8

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE002F

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0F2E

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0F3F

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0EE7

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0F02

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE00A5

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0040

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0FD4

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F66

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0FC3

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE000A

.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F1D

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FD4

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10076

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10025

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F1000A

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10FAF

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FEF

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F10051

.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10036

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00F7F

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00F90

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00000

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FEF

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F00FAB

.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00FC6

.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03A10000

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03A1007D

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03A10F88

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03A10FAF

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03A10FCA

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03A10FDB

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03A10F5C

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03A10098

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03A10F15

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03A10F30

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03A100D3

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03A1006C

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03A10011

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03A10F6D

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03A10047

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03A10036

.text C:\WINDOWS\System32\svchost.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03A10F4B

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE002C

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE006C

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE001B

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0000

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FAF

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0FEF

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AE0051

.text C:\WINDOWS\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0FCA

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD004C

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0FC1

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD001D

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0FEF

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FD2

.text C:\WINDOWS\System32\svchost.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD000C

.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FEF

.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AB0FE5

.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AB0000

.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AB0011

.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00AB0FC0

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0FE5

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E0090

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E007F

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0058

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E0047

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E001B

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E00C8

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0F80

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E0F5B

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E00F4

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E0119

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E0036

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0FD4

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E00A1

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E000A

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E0FB9

.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E00E3

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0091004A

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910FC3

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0091002F

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FEF

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00910080

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00910000

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00910FDE

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B1, 88] {MOV CL, 0x88}

.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0091005B

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00900FC3

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900044

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900FDE

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900FEF

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900033

.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00900018

.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008F0000

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE007D

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE006C

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0051

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0040

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0F94

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00A9

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0098

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F2B

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F3C

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0F06

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0025

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FD4

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F6D

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0000

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FB9

.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00BA

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD000A

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD004A

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0FB9

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0FDE

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0F8D

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0FEF

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CD0025

.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0F9E

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0073

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0062

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC002C

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0000

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0047

.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0011

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00730FE5

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00730040

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00730F4B

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00730025

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00730F72

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00730F9E

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0073008C

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00730F3A

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007300A7

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00730F18

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007300C2

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00730F83

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00730FD4

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00730065

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0073000A

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00730FB9

.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00730F29

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0025

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0F7C

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FCA

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF000A

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F97

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0FA8

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]

.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FB9

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760050

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!system 77C293C7 5 Bytes JMP 0076003F

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FE3

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0076002E

.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0076001D

.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0074000A

.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0074001B

.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0074002C

.text C:\WINDOWS\system32\svchost.exe[1584] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00740FE5

.text C:\WINDOWS\system32\svchost.exe[1584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0349000A

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03490051

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03490036

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03490F5C

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03490F83

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03490FAF

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03490087

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 0349006C

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [86]

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03490F10

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 034900A9

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 034900C4

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03490F94

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03490FEF

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03490F4B

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03490FCA

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0349001B

.text C:\WINDOWS\Explorer.EXE[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03490098

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03480036

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 034800A2

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03480FE5

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03480011

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03480087

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03480000

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03480076

.text C:\WINDOWS\Explorer.EXE[1820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03480051

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03470F9A

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 0347001B

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03470FC6

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03470FE3

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03470FB5

.text C:\WINDOWS\Explorer.EXE[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03470000

.text C:\WINDOWS\Explorer.EXE[1820] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03450000

.text C:\WINDOWS\Explorer.EXE[1820] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03450011

.text C:\WINDOWS\Explorer.EXE[1820] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03450FD1

.text C:\WINDOWS\Explorer.EXE[1820] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 03450FB6

.text C:\WINDOWS\Explorer.EXE[1820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03460000



---- Devices - GMER 1.0.15 ----



AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)



---- EOF - GMER 1.0.15 ----

EDIT: Topics merged ~Budapest

Edited by Budapest, 06 June 2011 - 10:17 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 09 June 2011 - 05:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 09 June 2011 - 10:21 PM

I am here and awaiting your instructions

John

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 10 June 2011 - 07:18 PM

Please run Combofix to see what MBAM left behind

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 12 June 2011 - 10:49 PM

Since internet access is broken combofix was able to download the recovery console. The computer still has no internet access. Here is the log.

ComboFix 11-06-11.01 - Jillana Del Campo 06/12/2011 20:00:55.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.404 [GMT -7:00]

Running from: D:\ComboFix.exe

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jillana Del Campo\2gweorjqjutp92vjy9gake

c:\documents and settings\Jillana Del Campo\Application Data\Adobe\plugs

c:\documents and settings\Jillana Del Campo\Application Data\Adobe\plugs\mmc11884937.txt

c:\documents and settings\Jillana Del Campo\Application Data\Adobe\shed

c:\documents and settings\Jillana Del Campo\Application Data\Adobe\shed\thr1.chm

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000023_.tmp.dll

c:\windows\system32\_000024_.tmp.dll

c:\windows\system32\_000025_.tmp.dll

c:\windows\system32\_000026_.tmp.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))

.

.

2011-06-07 17:29 . 2008-04-14 05:05 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys

2011-06-07 17:29 . 2008-04-14 05:05 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys

2011-05-31 20:26 . 2011-05-31 20:26 -------- d-----w- c:\program files\McAfee Security Scan

2011-05-31 20:26 . 2011-05-31 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2011-05-31 17:18 . 2011-05-31 17:18 -------- d-----w- c:\documents and settings\Jillana Del Campo\Application Data\Malwarebytes

2011-05-31 17:17 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-31 17:17 . 2011-05-31 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-31 17:17 . 2011-06-07 17:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-31 17:17 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-30 00:46 . 2011-05-30 00:46 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-14 18:22 . 2011-05-14 18:22 0 ---ha-w- c:\windows\Cyateqijolozik.bin

2011-05-14 18:22 . 2011-05-30 00:46 -------- d-----w- c:\documents and settings\Jillana Del Campo\Local Settings\Application Data\{7FFDBBD2-BA56-4BA1-B50C-E150E786EACE}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-28 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-01 24064]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]

"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-17 196608]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-09 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2010-07-28 883272]

.

c:\documents and settings\Jillana Del Campo\Start Menu\Programs\Startup\

CNET TechTracker.lnk - c:\documents and settings\Jillana Del Campo\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe [2010-12-2 2621952]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-5-8 607584]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/1/2009 2:18 AM 198432]

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 2:35 AM 237568]

R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [7/27/2010 6:19 PM 121416]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 12:35 AM 38912]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 9:50 PM 135664]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 1:48 AM 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 1:50 AM 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 9:50 PM 135664]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [6/7/2011 10:29 AM 32384]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 1:43 AM 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 1:45 PM 197504]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 2:57 PM 148992]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

*Deregistered* - BMLoad

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

.

2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-28 04:50]

.

2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-28 04:50]

.

2011-02-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-01 19:22]

.

2009-08-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-01 19:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en&amp;gl=us

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph04104225l0384wum5w88423143

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

LSP: bmnet.dll

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\Jillana Del Campo\Application Data\Mozilla\Firefox\Profiles\9oav2863.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-12 20:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,d3,d4,0c,cc,19,dd,4e,9f,b0,aa,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,d3,d4,0c,cc,19,dd,4e,9f,b0,aa,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(556)

c:\windows\system32\bmnet.dll

.

- - - - - - - > 'explorer.exe'(3800)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\igfxext.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\windows\system32\wdfmgr.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2011-06-12 20:19:20 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-13 03:19

.

Pre-Run: 125,222,367,232 bytes free

Post-Run: 125,731,328,000 bytes free

.

- - End Of File - - AB156967960818E1A285CA7880C95295

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 13 June 2011 - 05:07 PM

Use Windows Explorer to find and delete this file:

c:\windows\Cyateqijolozik.bin

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Let's see if a basic repair can bring back your connection.

If your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.

Posted Image

If you have no task bar icon do this:

  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • click on the Repair menu option.

Posted Image

Let the repair process perform its tasks and when it has finished, hopefully your Internet connection should be working again.

if not try step two

Step two

  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
  • Click the Networking tab
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer.
  • If not prompted to reboot go ahead and reboot manually.

In I.E.
  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

In FireFox
  • Click on Advanced -> Network -> Setttings…
  • the No Proxy option should be selected

Posted Image
m0le is a proud member of UNITE

#7 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 15 June 2011 - 04:10 PM

I removed the file. I attempted get obtain an ip adress and failed. The ip settings are correct under the adapter and repairing the connection does not work.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 15 June 2011 - 05:34 PM

It could be that the winsock was corrupted.

  • Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  • Copy the file to the desktop on the non working machine.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot.

Please let me know if your connection is restored in your next reply
Posted Image
m0le is a proud member of UNITE

#9 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 15 June 2011 - 05:50 PM

I ran it. The computer tries to get an ip address for a while and then times out.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 15 June 2011 - 05:57 PM

One more try before I contact a networking specialist. Reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
After that, Reboot your computer and see if you have regained your connection.
Posted Image
m0le is a proud member of UNITE

#11 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 15 June 2011 - 06:32 PM

I tried it. Still no ip address.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 15 June 2011 - 07:45 PM

Let's take a look at the machine's settings

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
Click Go and post the result.
Posted Image
m0le is a proud member of UNITE

#13 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 16 June 2011 - 10:26 AM

Here is the log.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:38 AM

Posted 16 June 2011 - 08:02 PM

Make sure, your computer is set to obtain IP address automatically.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.

If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.

If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.

Let me know what happens.
Posted Image
m0le is a proud member of UNITE

#15 john-mark-7

john-mark-7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 16 June 2011 - 11:16 PM

When I enter ipconfig /registerdns I get registration of dns records failed: the RPC server is unavailable.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users