Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS.e!rootkit [Trojan]


  • Please log in to reply
13 replies to this topic

#1 EX251

EX251

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 July 2011 - 01:39 PM

My PC was infected with avirus which makes the screen completely black. I scanned my PC using McCafee on safe mode and a virus "TDSS.e!rootkit had been discovered and deleted by the antivirus software. Other virus called FakeAlert!grb also discovered and deleted. After restarting PC, the screen becomes completely blue with nothing on the disktop. Also, all programs and menues on the start menu were disappeared. Also all the icons under Administrative Tools is missing (both from Control Panel and the Start Menu). TaskManager can not be opened as a message says " it is disabled by administrator". All files and programs were found on Hidden attributes, were I changed them and they appears back but not on start menue where they appeared as empty files.

So, as the Viruses were deleted, what is happeneing? how could I return back my PC to its normal situation and good health.
Please help me
Thanks

Edited by hamluis, 06 July 2011 - 03:37 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 July 2011 - 01:46 PM

the view log for the abtivirus sacn report:


7/6/2011 5:35:14 AM Engine version = 5400.1158
7/6/2011 5:35:14 AM AntiVirus DAT version = 6397.0
7/6/2011 5:35:14 AM Number of detection signatures in EXTRA.DAT = None
7/6/2011 5:35:14 AM Names of detection signatures in EXTRA.DAT = None
7/6/2011 5:35:01 AM Scan Started ANIS-HOME\Lenovo On-Demand Scan
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Scan Summary
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Processes scanned : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Processes detected : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Processes cleaned : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Boot sectors scanned : 1
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Boot sectors detected: 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Boot sectors cleaned : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Files scanned : 1
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Files with detections: 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo File detections : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Files cleaned : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Files deleted : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Files not scanned : 0
7/6/2011 5:35:17 AM Scan Summary ANIS-HOME\Lenovo Run time : 0:00:16
7/6/2011 5:35:17 AM Scan Complete ANIS-HOME\Lenovo On-Demand Scan


7/6/2011 5:38:11 AM Engine version = 5400.1158
7/6/2011 5:38:11 AM AntiVirus DAT version = 6397.0
7/6/2011 5:38:11 AM Number of detection signatures in EXTRA.DAT = None
7/6/2011 5:38:11 AM Names of detection signatures in EXTRA.DAT = None
7/6/2011 5:38:01 AM Scan Started ANIS-HOME\Lenovo On-Demand Scan
7/6/2011 5:38:25 AM Deleted Lenovo ODS XCPT-HOOK1 TDSS.e!rootkit (Trojan)
7/6/2011 6:10:01 AM Not scanned (The file is encrypted) E:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Design_Guide_Post-tensioned_concrete_floors-CPS_part1.rar
7/6/2011 6:16:47 AM Not scanned (The file is encrypted) C:\Documents and Settings\Lenovo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 07-06-2011 - 05-21-07.SBU
7/6/2011 6:23:22 AM Not scanned (The file is encrypted) C:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\Content.IE5\NI073X0P\ABAQUS V6.8-1.part08[1].rar
7/6/2011 6:52:31 AM Not scanned (The file is encrypted) C:\Program Files\Golden Software\Grapher 8\GrapherUpdate.dat
7/6/2011 7:08:12 AM Not scanned (The file is encrypted) C:\Documents and Settings\Lenovo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 07-06-2011 - 05-21-07.SBU
7/6/2011 7:14:15 AM Not scanned (The file is encrypted) C:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\Content.IE5\NI073X0P\ABAQUS V6.8-1.part08[1].rar
7/6/2011 7:16:48 AM Deleted Lenovo ODS c:\Documents and Settings\All Users\Application Data\16441124 FakeAlert!grb (Trojan)
7/6/2011 7:16:50 AM Deleted Lenovo ODS c:\Documents and Settings\All Users\Application Data\~16441124 FakeAlert!grb (Trojan)
7/6/2011 7:16:50 AM Deleted Lenovo ODS c:\Documents and Settings\All Users\Application Data\~16441124r FakeAlert!grb (Trojan)
7/6/2011 7:17:26 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\{ACD3B3A6-13F2-435C-BE81-7287F5DFA621}\OFFLINE\65E5D433\82A1DE69\GrapherUpdate.dat
7/6/2011 7:19:07 AM Not scanned (The file is encrypted) c:\Documents and Settings\Lenovo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 07-06-2011 - 05-21-07.SBU
7/6/2011 7:24:53 AM Not scanned (The file is encrypted) c:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\Content.IE5\NI073X0P\ABAQUS V6.8-1.part08[1].rar
7/6/2011 7:35:02 AM Not scanned (The file is encrypted) c:\Program Files\Golden Software\Grapher 8\GrapherUpdate.dat
7/6/2011 8:59:14 AM Not scanned (The file is encrypted) e:\Abaqus Downloads\ABAQUS V6.8-1.part08.rar
7/6/2011 9:42:55 AM Not scanned (The file is encrypted) e:\From Flash Mem 4-2011\JAE project\Egypt_Code\Egypt_Code.rar
7/6/2011 9:46:07 AM Not scanned (The file is encrypted) e:\Grapher v8\Golden Software Grapher 8.0.278.rar
7/6/2011 9:51:04 AM Not scanned (The file is encrypted) e:\Hp\WORKWORK\NasserWork\WINZIP80.EXE
7/6/2011 9:59:40 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\Civil 510- Beahvior of Steel Structure-\support\cheopsFull2002.zip
7/6/2011 10:00:23 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\helwan exams\1.rar
7/6/2011 10:00:24 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\helwan exams\4.rar
7/6/2011 10:13:38 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0677142358.zip
7/6/2011 10:13:39 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0824788907.rar
7/6/2011 10:13:39 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0849303559.zip
7/6/2011 10:13:42 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\advanced_stress_and_stability_analysis.rar
7/6/2011 10:13:48 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Belytschko_-_Finite_Elements_for_Nonlinear_Continua___Structures__1997__4AH.rar
7/6/2011 10:13:49 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\cofldyn-bychung.part1.rar
7/6/2011 10:13:50 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Design_Guide_Post-tensioned_concrete_floors-CPS_part1.rar
7/6/2011 10:13:54 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\HA.rar
7/6/2011 10:14:14 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\w_kfihll.rar
7/6/2011 10:17:43 AM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\pipes\mna.rar
7/6/2011 10:35:12 AM Not scanned (The file is encrypted) e:\IBM-Office 6-2008\Directory C\sydne_fem\afena.ZIP
7/6/2011 10:35:12 AM Not scanned (The file is encrypted) e:\IBM-Office 6-2008\Directory C\sydne_fem\felpa.zip
7/6/2011 10:35:12 AM Not scanned (The file is encrypted) e:\IBM-Office 6-2008\Directory C\sydne_fem\Gentop.zip
7/6/2011 10:56:20 AM Not scanned (The file is encrypted) e:\JEA\Egypt_Code\Egypt_Code.rar
7/6/2011 10:56:36 AM Not scanned (The file is encrypted) e:\LRFD For Steel Structure\LRFD For Steel Structure.rar
7/6/2011 11:03:11 AM Not scanned (The file is encrypted) e:\My_e-books\vol3\Panda Antivirus 2007 with KEY\Panda Antivirus 2007 with KEY.rar
7/6/2011 11:05:17 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\AC\AC11_files\image603.wmz
7/6/2011 11:05:34 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\earth\EARTH02_files\oledata.mso
7/6/2011 11:06:11 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\intill\INTILL02_files\oledata.mso
7/6/2011 11:06:53 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\natill\NATILL04\oledata.mso
7/6/2011 11:07:33 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\sant\SANT03_files\oledata.mso
7/6/2011 11:07:51 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\shltr\Shltr07_files\oledata.mso
7/6/2011 11:08:05 AM Not scanned (The file is encrypted) e:\Selected Codes\الكود الاردني\rss\doc\thrm\THRM04_files\oledata.mso
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Scan Summary
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Processes scanned : 64
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Processes detected : 1
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Processes cleaned : 0
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Boot sectors scanned : 2
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Boot sectors detected: 0
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Boot sectors cleaned : 0
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Files scanned : 645962
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Files with detections: 4
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo File detections : 3
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Files cleaned : 0
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Files deleted : 3
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Files not scanned : 140
7/6/2011 11:16:12 AM Scan Summary ANIS-HOME\Lenovo Run time : 5:38:11
7/6/2011 11:16:12 AM Scan Complete ANIS-HOME\Lenovo On-Demand Scan


7/6/2011 4:52:25 PM Engine version = 5400.1158
7/6/2011 4:52:25 PM AntiVirus DAT version = 6397.0
7/6/2011 4:52:25 PM Number of detection signatures in EXTRA.DAT = None
7/6/2011 4:52:25 PM Names of detection signatures in EXTRA.DAT = None
7/6/2011 4:52:13 PM Scan Started ANIS-HOME\Lenovo On-Demand Scan
7/6/2011 4:52:38 PM Deleted Lenovo ODS Memory\Hidden-Process Hidden-Process.a (Trojan)
7/6/2011 4:52:38 PM Deleted Lenovo ODS XCPT-HOOK1 TDSS.e!rootkit (Trojan)
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Scan Summary
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Processes scanned : 14
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Processes detected : 2
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Processes cleaned : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Boot sectors scanned : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Boot sectors detected: 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Boot sectors cleaned : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Files scanned : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Files with detections: 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo File detections : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Files cleaned : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Files deleted : 0
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Files not scanned : 1
7/6/2011 4:52:38 PM Scan Summary ANIS-HOME\Lenovo Run time : 0:00:25
7/6/2011 4:52:38 PM Scan Terminated ANIS-HOME\Lenovo On-Demand Scan


7/6/2011 5:16:40 PM Engine version = 5400.1158
7/6/2011 5:16:40 PM AntiVirus DAT version = 6398.0
7/6/2011 5:16:40 PM Number of detection signatures in EXTRA.DAT = None
7/6/2011 5:16:40 PM Names of detection signatures in EXTRA.DAT = None
7/6/2011 5:16:30 PM Scan Started ANIS-HOME\Lenovo On-Demand Scan
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Scan Summary
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Processes scanned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Processes detected : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Processes cleaned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Boot sectors scanned : 1
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Boot sectors detected: 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Boot sectors cleaned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Files scanned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Files with detections: 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo File detections : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Files cleaned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Files deleted : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Files not scanned : 0
7/6/2011 5:19:18 PM Scan Summary ANIS-HOME\Lenovo Run time : 0:02:48
7/6/2011 5:19:18 PM Scan Terminated ANIS-HOME\Lenovo On-Demand Scan


7/6/2011 5:19:36 PM Engine version = 5400.1158
7/6/2011 5:19:36 PM AntiVirus DAT version = 6398.0
7/6/2011 5:19:36 PM Number of detection signatures in EXTRA.DAT = None
7/6/2011 5:19:36 PM Names of detection signatures in EXTRA.DAT = None
7/6/2011 5:19:26 PM Scan Started ANIS-HOME\Lenovo On-Demand Scan
7/6/2011 5:19:47 PM Deleted Lenovo ODS XCPT-HOOK1 TDSS.e!rootkit (Trojan)
7/6/2011 5:30:30 PM Not scanned (The file is encrypted) E:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Design_Guide_Post-tensioned_concrete_floors-CPS_part1.rar
7/6/2011 5:40:30 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\{ACD3B3A6-13F2-435C-BE81-7287F5DFA621}\OFFLINE\65E5D433\82A1DE69\GrapherUpdate.dat
7/6/2011 5:44:44 PM Not scanned (The file is encrypted) c:\Documents and Settings\Lenovo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 07-06-2011 - 12-23-20.SBU
7/6/2011 6:00:48 PM Not scanned (The file is encrypted) c:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\Content.IE5\NI073X0P\ABAQUS V6.8-1.part08[1].rar
7/6/2011 6:20:59 PM Not scanned (The file is encrypted) c:\Program Files\Golden Software\Grapher 8\GrapherUpdate.dat
7/6/2011 7:55:18 PM Not scanned (The file is encrypted) e:\Abaqus Downloads\ABAQUS V6.8-1.part08.rar
7/6/2011 8:47:35 PM Not scanned (The file is encrypted) e:\From Flash Mem 4-2011\JAE project\Egypt_Code\Egypt_Code.rar
7/6/2011 8:55:11 PM Not scanned (The file is encrypted) e:\Grapher v8\Golden Software Grapher 8.0.278.rar
7/6/2011 9:02:53 PM Not scanned (The file is encrypted) e:\Hp\WORKWORK\NasserWork\WINZIP80.EXE
7/6/2011 9:13:12 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\Civil 510- Beahvior of Steel Structure-\support\cheopsFull2002.zip
7/6/2011 9:13:50 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\helwan exams\1.rar
7/6/2011 9:13:51 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\helwan exams\4.rar
7/6/2011 9:28:53 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0677142358.zip
7/6/2011 9:28:54 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0824788907.rar
7/6/2011 9:28:54 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\0849303559.zip
7/6/2011 9:28:57 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\advanced_stress_and_stability_analysis.rar
7/6/2011 9:29:04 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Belytschko_-_Finite_Elements_for_Nonlinear_Continua___Structures__1997__4AH.rar
7/6/2011 9:29:04 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\cofldyn-bychung.part1.rar
7/6/2011 9:29:06 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\Design_Guide_Post-tensioned_concrete_floors-CPS_part1.rar
7/6/2011 9:29:09 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\HA.rar
7/6/2011 9:29:28 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\BOOKS\w_kfihll.rar
7/6/2011 9:32:57 PM Not scanned (The file is encrypted) e:\HP-Office-20-4-2008\IBM_civil Aug2007\pipes\mna.rar

#3 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 06 July 2011 - 02:02 PM

Please someone help me !
Iam in bad situation!

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 09 July 2011 - 04:00 PM

Hi EX251,

:welcome: to BleepingComputer.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please post the contents of that document.

:step2: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step3: Let's try rebooting into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.

:step4: Once in Safe Mode with Networking, download Rkill

Run Rkill (renamed iExplore.exe).

Please be patient while Rkill looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If it appears like Rkill did not stop the malware from running, please try running RKill again until the malware is no longer running.

If you are unable to download or run rkill from the main download, try these alternate download locations:

1. http://download.bleepingcomputer.com/grinler/rkill.com
2. http://download.bleepingcomputer.com/grinler/rkill.pif
3. http://download.bleepingcomputer.com/grinler/rkill.scr
4. http://download.bleepingcomputer.com/grinler/eXplorer.exe
5. http://download.bleepingcomputer.com/grinler/iExplore.exe
6. http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
7. http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
8. http://www.boredomsoft.org/hosted/rkill.exe
9. http://www.boredomsoft.org/hosted/rkill.com
10. http://www.boredomsoft.org/hosted/rkill.scr
11. http://www.boredomsoft.org/hosted/eXplorer.exe
12. http://www.boredomsoft.org/hosted/iExplore.exe


Do not reboot your computer after running RKill as the malware programs will start again!

:step5: Still in Safe Mode with Networking, Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


:step6: Reboot into Normal mode. Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step7: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:
  • SecurityCheck's checkup.txt file
  • MiniToolbox's Result.txt file
  • Malwarebytes' log file
  • SuperAntiSpyware log file
  • GMER log file
  • How's the computer running now? Please include a detailed description of anything out of the ordinary, including any error messages.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 July 2011 - 05:13 PM

Thanks Jason. Here is the content of the file checkup.txt hope that will help.
-----

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
McAfee VirusScan Enterprise
McAfee Agent
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
Java™ 6 Update 25
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
McAfee VirusScan Enterprise EngineServer.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise Mcshield.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

#6 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 July 2011 - 05:18 PM

The result.txt produced by MiniToolBox :



MiniToolBox by Farbar
Ran by Lenovo (administrator) on 10-07-2011 at 01:15:07
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
Hosts file not detected in the default diroctory
================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Anis-Home

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82566DM-2 Gigabit Network Connection

Physical Address. . . . . . . . . : 00-1E-37-32-DF-62

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 81.28.112.1

81.28.112.2

Lease Obtained. . . . . . . . . . : Sunday, July 10, 2011 12:45:18 AM

Lease Expires . . . . . . . . . . : Sunday, July 10, 2011 2:45:18 AM

Server: ns1.sama.jo
Address: 81.28.112.1

Name: google.com
Addresses: 213.139.49.92, 213.139.49.93, 213.139.49.94



Pinging google.com [213.139.49.93] with 32 bytes of data:



Reply from 213.139.49.93: bytes=32 time=43ms TTL=59

Reply from 213.139.49.93: bytes=32 time=41ms TTL=59



Ping statistics for 213.139.49.93:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 43ms, Average = 42ms

Server: ns1.sama.jo
Address: 81.28.112.1

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=196ms TTL=48

Reply from 69.147.125.65: bytes=32 time=194ms TTL=48



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 194ms, Maximum = 196ms, Average = 195ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 37 32 df 62 ...... Intel® 82566DM-2 Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/10/2011 00:45:34 AM) (Source: Intel® AMT) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/09/2011 08:18:51 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: The file C:\System Volume Information\_restore{A7C40BA6-1F05-4E6C-9ED5-6C0028958009}\RP497\A0169951.exe\00000000.xor contains the FakeAlert-SysDef.b Trojan. Undetermined clean error, deleted successfully. Detected using Scan engine version 5400.1158 DAT version 6401.0000.

Error: (07/09/2011 07:53:38 PM) (Source: MsiInstaller) (User: Lenovo)Lenovo
Description: Product: Microsoft Kinect for Windows SDK Beta -- Microsoft Kinect for Windows SDK BETA is only supported on Windows 7.

Error: (07/09/2011 07:37:12 PM) (Source: MsiInstaller) (User: Lenovo)Lenovo
Description: Product: Microsoft Baseline Security Analyzer 2.2 -- Error 1316. A network error occurred while attempting to read from the file: C:\Documents and Settings\Lenovo\Desktop\MBSASetup-x86-EN[1].msi

Error: (07/09/2011 07:36:17 PM) (Source: MsiInstaller) (User: Lenovo)Lenovo
Description: Product: Microsoft Baseline Security Analyzer 2.2 -- Error 1316. A network error occurred while attempting to read from the file: C:\Documents and Settings\Lenovo\Desktop\MBSASetup-x86-EN[1].msi

Error: (07/09/2011 06:00:41 PM) (Source: Intel® AMT) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/09/2011 04:25:40 PM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (07/09/2011 04:11:40 PM) (Source: McLogEvent) (User: Lenovo)Lenovo
Description: The scan found detections. Scan engine version 5400.1158 DAT version 6401.

Error: (07/09/2011 01:23:01 PM) (Source: CardSpace 3.0.0.0) (User: SYSTEM)SYSTEM
Description: The Windows CardSpace service is too busy to process this request.
User has too many outstanding requests.



Additional Information:
at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (07/09/2011 00:26:34 PM) (Source: Intel® AMT) (User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.


System errors:
=============
Error: (07/10/2011 00:48:58 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747

Error: (07/10/2011 00:48:58 AM) (Source: Service Control Manager) (User: )
Description: The DS1410D service failed to start due to the following error:
%%2

Error: (07/09/2011 07:27:25 PM) (Source: Service Control Manager) (User: )
Description: The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/09/2011 06:03:35 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1070

Error: (07/09/2011 06:03:35 PM) (Source: Service Control Manager) (User: )
Description: The Telephony service hung on starting.

Error: (07/09/2011 06:03:35 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747

Error: (07/09/2011 06:03:35 PM) (Source: Service Control Manager) (User: )
Description: The DS1410D service failed to start due to the following error:
%%2

Error: (07/09/2011 05:59:10 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/09/2011 05:48:23 PM) (Source: DCOM) (User: Lenovo)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (07/09/2011 05:47:55 PM) (Source: DCOM) (User: Lenovo)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}


Microsoft Office Sessions:
=========================
Error: (07/10/2011 00:45:34 AM) (Source: Intel® AMT)(User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/09/2011 08:18:51 PM) (Source: McLogEvent)(User: SYSTEM)SYSTEM
Description: The file C:\System Volume Information\_restore{A7C40BA6-1F05-4E6C-9ED5-6C0028958009}\RP497\A0169951.exe\00000000.xor contains the FakeAlert-SysDef.b Trojan. Undetermined clean error, deleted successfully. Detected using Scan engine version 5400.1158 DAT version 6401.0000.

Error: (07/09/2011 07:53:38 PM) (Source: MsiInstaller)(User: Lenovo)Lenovo
Description: Product: Microsoft Kinect for Windows SDK Beta -- Microsoft Kinect for Windows SDK BETA is only supported on Windows 7.(NULL)(NULL)(NULL)

Error: (07/09/2011 07:37:12 PM) (Source: MsiInstaller)(User: Lenovo)Lenovo
Description: Product: Microsoft Baseline Security Analyzer 2.2 -- Error 1316. A network error occurred while attempting to read from the file: C:\Documents and Settings\Lenovo\Desktop\MBSASetup-x86-EN[1].msi(NULL)(NULL)(NULL)

Error: (07/09/2011 07:36:17 PM) (Source: MsiInstaller)(User: Lenovo)Lenovo
Description: Product: Microsoft Baseline Security Analyzer 2.2 -- Error 1316. A network error occurred while attempting to read from the file: C:\Documents and Settings\Lenovo\Desktop\MBSASetup-x86-EN[1].msi(NULL)(NULL)(NULL)

Error: (07/09/2011 06:00:41 PM) (Source: Intel® AMT)(User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.

Error: (07/09/2011 04:25:40 PM) (Source: EventSystem)(User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp448007043C

Error: (07/09/2011 04:11:40 PM) (Source: McLogEvent)(User: Lenovo)Lenovo
Description: The scan found detections. Scan engine version 5400.1158 DAT version 6401.

Error: (07/09/2011 01:23:01 PM) (Source: CardSpace 3.0.0.0)(User: SYSTEM)SYSTEM
Description: User has too many outstanding requests.



Additional Information:
at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.BuildMessage(InfoCardBaseException ie)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.TraceAndLogException(Exception e)
at Microsoft.InfoCards.Diagnostics.InfoCardTrace.ThrowHelperError(Exception e)
at Microsoft.InfoCards.UIAgentMonitor.AddNewClient(UIAgentMonitorHandle handle)
at Microsoft.InfoCards.UIAgentMonitorHandle.CreateAgent(Int32 callerPid, WindowsIdentity callerIdentity, Int32 tsSessionId)
at Microsoft.InfoCards.RequestFactory.CreateClientRequestInstance(UIAgentMonitorHandle monitorHandle, String reqName, IntPtr rpcHandle, Stream inStream, Stream outStream)
at Microsoft.InfoCards.RequestFactory.ProcessNewRequest(Int32 parentRequestHandle, IntPtr rpcHandle, IntPtr inArgs, IntPtr& outArgs)

Error: (07/09/2011 00:26:34 PM) (Source: Intel® AMT)(User: )
Description: [UNS] Failed to subscribe to local Intel® AMT.


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 46%
Total physical RAM: 2021.21 MB
Available physical RAM: 1080.87 MB
Total Pagefile: 3368.14 MB
Available Pagefile: 2513.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1991.86 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:78.59 GB) (Free:37.77 GB) NTFS
3 Drive e: () (Fixed) (Total:70.46 GB) (Free:4.45 GB) NTFS

================= Users: ==================================================

User accounts for \\

-------------------------------------------------------------------------------
Administrator ASPNET Guest
HelpAssistant Lenovo SUPPORT_388945a0
The command completed with one or more errors.

================= End of Users ============================================




#7 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 July 2011 - 05:55 PM

mbam.log:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7060

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/10/2011 1:53:31 AM
mbam-log-2011-07-10 (01-53-31).txt

Scan type: Quick scan
Objects scanned: 195949
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.MultipleButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.MultipleButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.UrlAlertButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.UrlAlertButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Value: f3PopularScreensavers -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Value: FunWebProducts -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys32-w32 (Trojan.Agent) -> Value: Sys32-w32 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig (Windows.Tool.Disabled) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\win-fixed.exe (Trojan.Agent) -> Quarantined and deleted successfully.




#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 09 July 2011 - 07:15 PM

Hi EX251,

Looking good so far! :thumbup2:

It appears you have two antivirus programs installed, McAfee and Microsoft Security Essentials. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Microsoft Security Essentials.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 July 2011 - 01:04 AM

Thanks again Jason. It seems I and my PC doing well up to now.
Here is the view log for the SuperAntivirus run:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/10/2011 at 05:05 AM

Application Version : 4.55.1000

Core Rules Database Version : 7391
Trace Rules Database Version: 5203

Scan type : Complete Scan
Total Scan Time : 02:47:20

Memory items scanned : 543
Memory threats detected : 0
Registry items scanned : 8067
Registry threats detected : 0
File items scanned : 134650
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\Lenovo\Cookies\lenovo@imrworldwide[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@doubleclick[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@content.yieldmanager[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@content.yieldmanager[3].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@atdmt[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@zedo[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@fastclick[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@advertising[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@ad.yieldmanager[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@collective-media[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@apmebf[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@adserver.adtechus[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@solvemedia[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@liveperson[3].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@server.iad.liveperson[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@www.3dstats[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@mediaplex[2].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lenovo\Cookies\lenovo@liveperson[1].txt

Adware.MyWebSearch/FunWebProducts
C:\DOCUMENTS AND SETTINGS\LENOVO\MY DOCUMENTS\WAJD.PME



#10 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 July 2011 - 07:21 AM

Hi Jason,
Here is the gemr.log:
-----------------------------------
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-10 14:53:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 WDC_WD1600AAJS-08PSA0 rev.05.06H05
Running: kq06swk7.exe; Driver: C:\DOCUME~1\Lenovo\LOCALS~1\Temp\kwrcapoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAEF10620]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA1CB16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA1CAFC2

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9DBD1C8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DBD086]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9DBD020]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9DBD034]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DBD09A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DBD0C6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9DBD134]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9DBD11E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9DBD14A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DBD208]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9DBD176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DBD072]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DBCFE4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DBCFF8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9DBD1DC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9DBD1B2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9DBD108]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9DBD0F2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DBD0B0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9DBD19E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9DBD18A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9DBD05E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9DBD04A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DBD0DC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DBD237]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9DBD160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DBD21E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DBD1F2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DBD1F6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 805790A8 5 Bytes JMP B9DBD1CC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DBD20C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DBD222 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B841E 7 Bytes JMP B9DBD1E0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DBCFE8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DBCFFC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE8A 5 Bytes JMP B9DBD04E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B9DBD038 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP B9DBD024 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D173A 5 Bytes JMP B9DBD062 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DBD23B mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80622314 7 Bytes JMP B9DBD0F6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DBD0E0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 8062298C 7 Bytes JMP B9DBD164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062323E 7 Bytes JMP B9DBD10C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DBD0B4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DBD08A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DBD09E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DBD0CA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8062493C 7 Bytes JMP B9DBD138 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624BA6 7 Bytes JMP B9DBD122 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DBD076 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80625810 7 Bytes JMP B9DBD1B6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625AD0 5 Bytes JMP B9DBD18E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 80625F20 7 Bytes JMP B9DBD14E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806261C4 5 Bytes JMP B9DBD1A2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806262DE 5 Bytes JMP B9DBD17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text KDCOM.DLL!KdSendPacket BA5A8345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket BA5A834D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket BA5A8353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket BA5A8371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 BA5A838E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A BA5A83A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 BA5A83CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C BA5A83D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 BA5A83EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C BA5A84DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 BA5A84F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD BA5A850D 241 Bytes CALL BA5A846D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 BA5A8F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 BA5A901C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B BA5A9087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
PAGEKD KDCOM.DLL!KdSendPacket + 6F BA5A9221 181 Bytes [83, C4, 18, 33, C0, 85, FF, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB994D360, 0x24CB9D, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB2661A00]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xABBD6400, 0x7960C, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xABC78420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xABC78420]
.protect˙˙˙˙hardlockunknown last code section [0xABC78200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xABC78200, 0x5049, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F61
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0056
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0045
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0028
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA1
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F1A
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F2B
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0098
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00B3
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F90
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F46
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCD
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A007D
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCD
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029004A
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDE
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290039
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA1
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB2
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A002C
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002C002C
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019E0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01410FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014100A1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01410084
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01410069
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F79
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01410F8A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01410112
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014100ED
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01410F5E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0141001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01410F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0141002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014100DC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01400FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01400F72
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0140000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01400FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01400F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01400FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01400F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0140001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013F0FA6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!system 77C293C7 5 Bytes JMP 013F0FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013F0FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013F0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013F0027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013F0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0F68
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB005D
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB0F4D
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0089
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0F0D
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0F32
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0EF2
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0078
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00B0
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0040
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0FC3
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EA005B
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90FA5
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E9003A
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90018
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90029
.text C:\WINDOWS\system32\services.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\services.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F5C
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F6D
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FA5
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F26
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80EFA
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F15
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80EE9
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80F94
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FDB
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80F37
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80089
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20036
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F9A
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FC6
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FB5
.text C:\WINDOWS\system32\lsass.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA006C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0F77
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F37
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F52
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA0F12
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA00AB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA00D0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA007D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E90040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E9006F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E90FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [09, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80056
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FC1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80027
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30FB4
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C300A9
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C3008E
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C3007D
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30062
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C300DF
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C300CE
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30129
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F86
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30F75
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FDB
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30FA3
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C300FA
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20011
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20F6F
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20FC0
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20F8A
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20FA5
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C2002C
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C1001D
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10F9C
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FD2
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C1000C
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FAD
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FEF
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F7C
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F97
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA8
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009D
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F3A
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F4B
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F29
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A008C
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C9
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F9C
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FAD
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FD2
.text C:\Program Files\Messenger\msmsgs.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0025
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F94
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A000A
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FA5
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0047
.text C:\Program Files\Messenger\msmsgs.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\Program Files\Messenger\msmsgs.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C000A
.text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FDE
.text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002C0039
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF007F
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF006E
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0053
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0F94
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FC0
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F37
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F54
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00B2
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00A1
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0EFE
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0FAF
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0F6F
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF002C
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0090
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0F94
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE001B
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0FAF
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DE0FCA
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FE, 88]
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0047
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FB2
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD003D
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0022
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FD7
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0011
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05000FEF
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0500005B
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05000F70
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0500004A
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05000039
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0500001E
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05000F1D
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05000F3A
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05000EE0
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05000EF1
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0500008A
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05000F97
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05000FDE
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05000F4B
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05000FB2
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05000FC3
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05000F02
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04FF0025
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04FF0051
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04FF0FD4
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04FF000A
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04FF0F94
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04FF0FE5
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04FF0FB9
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 8D]
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04FF0040
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04FE0F9C
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 04FE0031
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04FE0FC8
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04FE0FB7
.text C:\WINDOWS\System32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04FE000C
.text C:\WINDOWS\System32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04FD0000
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04FC0000
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04FC0FE5
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04FC0011
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04FC0FB6
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00A4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE007F
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F77
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00F5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F5C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D0049
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0FC8
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0038
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D000C
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D0FD9
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D001D
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00830058
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00830047
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00830036
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00830F79
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00830FA5
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00830F32
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0083007A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00830F06
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00830F21
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00830EF5
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00830F94
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00830011
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00830069
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00830FB6
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00830FDB
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00830095
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00720FD4
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00720F9E
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0072001B
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0072005B
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00720FEF
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00720FB9
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [92, 88]
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0072004A
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710020
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710F9F
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FC1
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FB0
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710FDE
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00830FEF
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00830F5C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0083005B
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00830F8D
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0083004A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00830025
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00830F24
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00830F35
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00830EEE
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00830087
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008300A2
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00830FA8
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0083006C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00830FB9
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00830FCA
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00830F13
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00820FB9
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00820051
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00820FCA
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00820FE5
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00820036
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00820F9E
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A2, 88]
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00820025
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0081003F
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00810FB4
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00810FE3
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0081002E
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0081001D
.text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0076
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F77
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0051
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF00AE
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF009D
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F30
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F4B
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F1F
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0F9E
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FDE
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F66
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00D3
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FCD
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0080
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0014
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0065
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0039
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0F8B
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0016
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FC1
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FB0
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0FDE
.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006B001B
.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\system32\svchost.exe[1712] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 006B0036
.text C:\WINDOWS\system32\svchost.exe[1712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F43
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0064
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00A1
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0090
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00B2
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0053
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A007F
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F72
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290014
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FDE
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F83
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F9E
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0044
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FB9
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FE5
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FCA
.text C:\WINDOWS\System32\svchost.exe[3092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[3092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00390FEF

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSendPacket] [BA5A8631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD0Transition] [BA5A85DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD3Transition] [BA5A85E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdReceivePacket] [BA5A860D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize0] [BA5A85F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSave] [BA5A8625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize1] [BA5A85FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:112] 8A7810B3
Thread System [4:120] 8A781923
Thread System [4:124] 8A7827FB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\Session Manager@PendingFileRenameOperations ???&?????o?o????input.inf????=?=?=??? ?????????????????????'?????????????????f??? ?????????????????????'?????????????????f??9FCAFF91F4AD45F885D69E40D512103B?????&???&??????????????c:\Program Files\Microsoft Security Client\Antimalware\MpEvMsg.dll?tml??? ?????????????&?? ??&?'??????$??????????c???????????W???????B???????&?????????????ram???????????e??????ct?????????????????s?A???&????$??&???&???????e??? ???????r??????pN??? ???????&???????????%?<????????????????????disk.inf????HID\Vid_0079&Pid_0006\6&1610cace&0&0000??&???????&???&???h???*???????&???o????hFil??"c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"?M????<??&???\?????e.E??COM Infrastructure??00????N??5???,???)???????)????????????J??)???&???????&??????????????????????Microsoft????????&???????h???????????&????????l??&????????h????????6???6??????X??&???h?????e M???&??HID\Vid_0079&Pid_0006\6&28ca7b73&0&0000?{a????n??&???e??????????SBP2????Microsoft??????*???*????Microsoft Antimalware Service???? ???&???&?????&?&???????&???9???????e??? ?

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----




#11 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 July 2011 - 07:28 AM

Hi Jason,
I hope you are doing well.

Rightnow, I did all the steps you have recommended. The PC seems to be faster and doing better performance. But still I have Problem.

Before I do what you recommend, I scanned the PC using Mcafee and Microsoft security and other staff from the net. I was able to delete some spams through the antiviruses and also directly using the c: commands, for example the directory Windows XP repair and its appeared files.
Also,, since all files and directories were appeared to be hidden, I unhide them all using attribute -H. The disktop files returned back. but all icons on start menu---~ All Programs, returned as names but with EMPTY case!..... This includes the Accessories and all its contents as system tools and also the icon for the Adminstrative tools which is completely empty!....what could I do?
I do thank you so much for your great efforts.
Await your response.

EX251

#12 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 July 2011 - 08:03 AM

Hello Jason,

The problem esists as: If I press Start - All Programs, I don't get a listing of all my programs as I used to. It's therefore very awkward to open a program for which I don't have a shortcut on the desktop. If I press Start - All Programs - Accessories - System Tools, all that shows up is Internet Explorer (no add-ons). This is particularly inconvenient, because I don't even know where to find the system tools! Do I need to reinstall Windows XP? If so, how do I do it. If there's a simpler solution, what is it?

Thanks

#13 EX251

EX251
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 July 2011 - 09:27 AM

Hi Jason,

I used unhide.exe program and it works very well to solve the start menu, all programs, Administrative tools, system tools etc. It did a great job and all short cuts returned back.

The PC worked excellent and very fast. But after 2 hours the Mcafee alerted again that it found a virus [TDSS.e!rootkit [Trojan]] and it is deleted !
It seems it is again in its way to my PC !
What is hapeneing !
Thanks for your help


EX251

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 10 July 2011 - 10:49 AM

Hi EX251,

I would have suggested unhide.exe, but you found that and ran it yourself. Glad you have that part fixed!

:step1: As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please carefully follow the steps in the following guide:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this here (please let me know if this is the case):

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic

:step2: Rerun Malwarebytes. Select the Update tab, and click on Check for Updates.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users