Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Home Security 2012


  • This topic is locked This topic is locked
16 replies to this topic

#1 RichmondJohn

RichmondJohn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 25 July 2011 - 07:57 AM

Hi - I have what appears to be a virus on my machine that triggers "popup boxes" to randomly appear. Also the windows security symbol appears in the bottom right corner (next to the time) with comment boxes appearing at random as well.

The popup boxes are titled XP Home Security 2012 in the blue banner.

Sometimes the content of the "popup box" will be showing that my firewall is not ON and that i have no internet security (I actually have McAfee loaded as my internet security).

Sometimes the content lists that I have 15 or more affected files. And sometimes it states that there is a "security system alert"

Always the popup boxes are asking me to purchase the full version of "XP Home Security 2012".

The "comment boxes" usually has titles like "Malware intrusion!" or "System hijack!" or "Tracking software found!" with a description of the (supposed) issue below the title.

When i run the McAfee scan it identifies 1 issue but then appears to stall on checking a file for a long time.

My dds log content is as follows:


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by JOHN RICHMOND at 22:20:16 on 2011-07-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.160 [GMT 10:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\dgd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Desktop\gmer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110506202159.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Mobile Partner] "c:\program files\wireless broadband\Wireless Broadband.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\john richmond\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [2270744052] c:\documents and settings\networkservice\local settings\application data\dgd.exe
StartupFolder: c:\docume~1\johnri~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{73F13F1B-93D6-41E2-ADAC-4CEB70FACA60} : DhcpNameServer = 10.1.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\go333c~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-24 84200]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-24 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-24 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-24 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-24 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-24 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-24 141792]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-24 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-24 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-24 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-24 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-24 88736]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-29 136176]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
S3 ATKXPDisplayName;ATKXPDisplayName;c:\windows\system32\drivers\ATKACPI.sys [2008-3-14 5760]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-6-30 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-29 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-24 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-24 84488]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\dgd.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-07-25 08:37:01 0 --sha-w- c:\windows\musirc4.exe
2011-07-25 08:31:00 0 --sha-w- c:\windows\mswmcls.exe
2011-07-25 08:19:01 116224 --sha-w- c:\windows\pdesknet.exe
2011-07-24 03:14:09 -------- d-----w- c:\program files\VideoLAN
2011-07-24 02:54:46 -------- d-----w- c:\documents and settings\john richmond\application data\DriverFinder
2011-07-24 02:53:09 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-07-24 02:53:03 -------- d-----w- c:\program files\AC3Filter
2011-07-23 11:52:56 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-07-23 11:52:02 -------- d-----w- c:\program files\common files\DeskShare Shared
2011-07-23 11:52:00 258352 ----a-w- c:\windows\system32\Unicows.dll
2011-07-23 11:51:40 -------- d-----w- c:\program files\Deskshare
2011-07-23 11:38:28 -------- d-----w- c:\documents and settings\john richmond\application data\DDMSettings
2011-07-23 10:55:48 -------- d-----w- c:\program files\iPod
2011-07-23 10:36:10 -------- d-----w- c:\program files\Bonjour
2011-07-22 08:00:13 -------- d-----w- c:\program files\ElcomSoft
2011-07-21 12:40:10 -------- d-----w- c:\windows\pss
2011-07-19 11:40:16 -------- d-----w- c:\program files\MKV Player
2011-07-18 10:59:49 -------- d-----w- c:\program files\Digiarty
2011-07-12 01:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 01:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 01:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 01:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-06-30 12:14:03 -------- d-----w- c:\program files\common files\WebM Project
.
==================== Find3M ====================
.
2011-06-20 09:36:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 18:54:34 71677 --sh--w- c:\windows\lks.exe
2011-06-17 18:54:34 59719 --sh--w- c:\windows\hpc.exe
2011-06-17 18:54:32 71674 --sh--w- c:\windows\chp.exe
2011-06-17 18:54:32 66045 --sh--w- c:\windows\pst.exe
2011-06-17 18:54:32 59895 --sh--w- c:\windows\nst.exe
2011-06-16 10:40:33 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-06-08 00:55:02 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-08 00:54:48 24576 ------w- c:\windows\system32\msxml3a.dll
2011-06-08 00:53:24 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-06-08 00:53:12 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-09 22:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-09 22:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-03 18:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-03 16:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 22:23:03.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 04 August 2011 - 12:20 AM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#3 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 12:31 AM

Thank you Jack&Jill - I appreciate your time.

I may have already set myself up for immediate notification as the only option I see is to stop watching topic. Regardless I will be constantly monitoring your communications.

One thing I should mention is I am hoping to check if the virus has affected my external portable hard drive.

Looking forward to working with you to remove this virus.

Regards

#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 04 August 2011 - 01:07 AM

Hello RichmondJohn :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

One thing I should mention is I am hoping to check if the virus has affected my external portable hard drive.


I will take a look. I see the drive is plugged in when you ran DDS. Please keep it connected.

--------------------

Scan with RogueKiller
  • Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
    Link 1
    Link 2

  • Allow the download if prompted by your security software and please close all your programs.
  • Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
  • A program window will open. Type 1 for Scan and press Enter when prompted.
  • Once finished, Notepad will open with a log called RKreport.txt, located at the desktop.
  • Please copy and paste the contents of that log in your next reply.
--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Please post back:
1. RogueKiller log
2. aswMBR result

Edited by Jack&Jill, 04 August 2011 - 07:26 AM.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 07:02 AM

Hi Jack&Jill

As requested below is the outcome from RogueKiller:


RogueKiller V5.3.0 [08/01/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: JOHN RICHMOND [Admin rights]
Mode: Scan -- Date : 08/04/2011 21:45:02

Bad processes: 0

Registry Entries: 15
[SUSP PATH] At8.job : c:\windows\pst.exe -> FOUND
[SUSP PATH] At7.job : c:\windows\chp.exe -> FOUND
[SUSP PATH] At6.job : c:\windows\nst.exe -> FOUND
[SUSP PATH] At5.job : c:\windows\hpc.exe -> FOUND
[SUSP PATH] At4.job : c:\windows\lks.exe -> FOUND
[SUSP PATH] At3.job : c:\windows\pst.exe -> FOUND
[SUSP PATH] At2.job : c:\windows\chp.exe -> FOUND
[SUSP PATH] At10.job : c:\windows\hpc.exe -> FOUND
[SUSP PATH] At1.job : c:\windows\nst.exe -> FOUND
[SUSP PATH] At9.job : c:\windows\lks.exe -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKLM\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\dgd.exe" -a "%1" %*) -> FOUND

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt

And the outcome from the aswMBR:

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-04 21:58:47
-----------------------------
21:58:47.477 OS Version: Windows 5.1.2600 Service Pack 3
21:58:47.477 Number of processors: 1 586 0xD06
21:58:47.477 ComputerName: JOHN-4E01040970 UserName: JOHN RICHMOND
21:58:50.972 Initialize success
21:59:17.180 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:59:17.180 Disk 0 Vendor: FUJITSU_MHT2060AT 0022 Size: 57231MB BusType: 3
21:59:19.193 Disk 0 MBR read successfully
21:59:19.193 Disk 0 MBR scan
21:59:19.193 Disk 0 Windows XP default MBR code
21:59:19.193 Disk 0 scanning sectors +117194175
21:59:19.293 Disk 0 scanning C:\WINDOWS\system32\drivers
21:59:45.240 Service scanning
21:59:54.043 Modules scanning
22:00:12.580 Disk 0 trace - called modules:
22:00:12.910 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
22:00:12.910 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83367ab8]
22:00:12.910 3 CLASSPNP.SYS[f8696fd7] -> nt!IofCallDriver -> \Device\0000008b[0x833059e8]
22:00:12.910 5 ACPI.sys[f85ed620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83305d98]
22:00:13.241 Scan finished successfully
22:00:39.068 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\JOHN RICHMOND\Desktop\MBR.dat"
22:00:39.468 The log file has been saved successfully to "C:\Documents and Settings\JOHN RICHMOND\Desktop\aswMBR.txt"

Any issues please let me know.

Regards

RichmondJohn

#6 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 04 August 2011 - 07:26 AM

Hello RichmondJohn :),

RogueKiller in action
  • Please rerun RogueKiller.
  • At the prompt, type 2 for Remove and press Enter.
  • Try a few times if it does not run.
  • Post back the new result.
--------------------

Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here.

Run MBAM
  • Double click on mbam-setup.exe and follow the prompts to install the program.
  • At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
  • Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please post back:
1. RogueKiller result
2. MBAM report

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#7 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 06:33 PM

Hi Jack&Jill

I was not asked to reboot my computer after running either application.

The RogueKiller result was:


RogueKiller V5.3.0 [08/01/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: JOHN RICHMOND [Admin rights]
Mode: Remove -- Date : 08/04/2011 23:32:46

Bad processes: 0

Registry Entries: 15
[SUSP PATH] At8.job : c:\windows\pst.exe -> DELETED
[SUSP PATH] At7.job : c:\windows\chp.exe -> DELETED
[SUSP PATH] At6.job : c:\windows\nst.exe -> DELETED
[SUSP PATH] At5.job : c:\windows\hpc.exe -> DELETED
[SUSP PATH] At4.job : c:\windows\lks.exe -> DELETED
[SUSP PATH] At3.job : c:\windows\pst.exe -> DELETED
[SUSP PATH] At2.job : c:\windows\chp.exe -> DELETED
[SUSP PATH] At10.job : c:\windows\hpc.exe -> DELETED
[SUSP PATH] At1.job : c:\windows\nst.exe -> ERROR
[SUSP PATH] At9.job : c:\windows\lks.exe -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILE ASSO] HKLM\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\dgd.exe" -a "%1" %*) -> REPLACED : ("%1" %*)

HOSTS File:


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


The MBAM Report was:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7375

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/08/2011 9:25:18 AM
mbam-log-2011-08-05 (09-25-18).txt

Scan type: Full scan (C:\|E:\|H:\|)
Objects scanned: 296771
Time elapsed: 3 hour(s), 31 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\john richmond\Desktop\rk_quarantine\chp.exe.vir (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\Desktop\rk_quarantine\hpc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\Desktop\rk_quarantine\lks.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\Desktop\rk_quarantine\nst.exe.vir (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\Desktop\rk_quarantine\pst.exe.vir (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\local settings\Temp\xvid_h246.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\local settings\temporary internet files\Content.IE5\85K93K6E\lockhunter1_3419[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john richmond\local settings\temporary internet files\Content.IE5\DRJKDUST\xvid.h264[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\ZWI27E4A\ns2i[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f55c3b2d-cfe5-4c59-951d-5248a69e99f2}\RP675\A0100006.exe (Adware.RelevantKnowledge) -> Not selected for removal.
c:\system volume information\_restore{f55c3b2d-cfe5-4c59-951d-5248a69e99f2}\RP675\A0100008.dll (Adware.RelevantKnowledge) -> Not selected for removal.
c:\system volume information\_restore{f55c3b2d-cfe5-4c59-951d-5248a69e99f2}\RP675\A0100009.exe (Adware.RelevantKnowledge) -> Not selected for removal.
c:\WINDOWS\nst.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\pdesknet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\pst.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\hpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\chp.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\lks.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Regards

RichmondJohn

#8 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 04 August 2011 - 06:49 PM

Hello RichmondJohn :),

These are some of programs that I would not keep. Uninstall them if you wish.
Conduit Engine
Vuze
Vuze Remote Toolbar

Rerun DDS and post back DDS.txt.

--------------------

Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

Please download Rootkit Unhooker and save it to your desktop. Click here.
  • Double click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Ensure the following are checked (ticked):
    • Drivers
    • Stealth Code
    • Files
    • Code Hooks
  • Uncheck the rest, then click OK. An initial scan will be performed.
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
  • Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
  • Save the report somewhere you can find it. Click Close to exit.
  • Copy the entire contents of the report and paste it in your next reply.
You may get a warning about parasite detection. Please click OK to continue.

--------------------

Please post back:
1. fresh DDS.txt
2. Rootkit Unhooker log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#9 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 09:34 PM

Hi Jack&Jill

I am in the Report tab of RKunhookerLE the tab's content window is blank so I cant check / uncheck the items you suggested.

Should i re-install the software or just scan?

Regards

Richmondjohn

#10 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 09:36 PM

Hi Jack&Jill

Please ignore my last post - I worked it out.

Regards

RichmondJohn

#11 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 04 August 2011 - 10:08 PM

Hi Jack&Jill

I acted on your recommendation and uninstalled conduit engine and Vuse toolbar - I kept Vuse loaded, is this a major issue?

My new dds log is:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by JOHN RICHMOND at 12:18:00 on 2011-08-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.57 [GMT 10:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\JOHN RICHMOND\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://au.search.yahoo.com/search?fr=mcafee&p=%s%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110506202159.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Mobile Partner] "c:\program files\wireless broadband\Wireless Broadband.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\john richmond\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\johnri~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{73F13F1B-93D6-41E2-ADAC-4CEB70FACA60} : DhcpNameServer = 10.1.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\go333c~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-24 84200]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-24 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-4 22712]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-24 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-24 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-24 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-24 88736]
S3 ATKXPDisplayName;ATKXPDisplayName;c:\windows\system32\drivers\ATKACPI.sys [2008-3-14 5760]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-4 41272]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-24 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-24 84488]
.
=============== Created Last 30 ================
.
2011-08-04 13:36:16 -------- d-----w- c:\documents and settings\john richmond\application data\Malwarebytes
2011-08-04 13:35:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 13:35:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-04 13:35:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 13:35:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-25 08:37:01 0 --sha-w- c:\windows\musirc4.exe
2011-07-25 08:31:00 0 --sha-w- c:\windows\mswmcls.exe
2011-07-24 03:14:09 -------- d-----w- c:\program files\VideoLAN
2011-07-24 02:54:46 -------- d-----w- c:\documents and settings\john richmond\application data\DriverFinder
2011-07-24 02:53:09 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-07-24 02:53:03 -------- d-----w- c:\program files\AC3Filter
2011-07-23 11:52:56 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-07-23 11:52:02 -------- d-----w- c:\program files\common files\DeskShare Shared
2011-07-23 11:52:00 258352 ----a-w- c:\windows\system32\Unicows.dll
2011-07-23 11:51:40 -------- d-----w- c:\program files\Deskshare
2011-07-23 11:38:28 -------- d-----w- c:\documents and settings\john richmond\application data\DDMSettings
2011-07-23 10:55:48 -------- d-----w- c:\program files\iPod
2011-07-23 10:36:10 -------- d-----w- c:\program files\Bonjour
2011-07-22 08:00:13 -------- d-----w- c:\program files\ElcomSoft
2011-07-21 12:40:10 -------- d-----w- c:\windows\pss
2011-07-19 11:40:16 -------- d-----w- c:\program files\MKV Player
2011-07-18 10:59:49 -------- d-----w- c:\program files\Digiarty
2011-07-12 01:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 01:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 01:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 01:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
==================== Find3M ====================
.
2011-06-20 09:36:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 10:40:33 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-06-08 00:55:02 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-08 00:54:48 24576 ------w- c:\windows\system32\msxml3a.dll
2011-06-08 00:53:24 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-06-08 00:53:12 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-09 22:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-09 22:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 12:22:12.82 ===============


When I ran RKUnhookerLEI kept getting an ERROR pop up box stating "Error starting helper service" just after nominating C: / E:/ & H:/ for scanning - if I clicked ok it reappear two more times then the scan occurred and a report was generated (note: the ERROR pop up box only appeared once when I only selected C:/ for scanning).

I thought it might be my McAfee internet security that was blocking something as straight after the ERROR pop up boxes disappeared a pop up box labelled McAfee Internet Security informed me that a trojan file had been detected and removed, so I turned off the McAfee real time scanning facility however the pop up boxes still appeared - am I doing something wrong or is there a setting in McAfee that I need to change?

In any case, below is the report content for RKUnhookerLE:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF087000 C:\WINDOWS\System32\ati3duag.dll 2256896 bytes (ATI Technologies Inc. , ati3duag.dll)
0xF75C2000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2220032 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF73FB000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF7847000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 909312 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7355000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 679936 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF83A8000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF2AE000 C:\WINDOWS\System32\ativvaxx.dll 483328 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF71F4000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF844C000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xBA724000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB7F61000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF7282000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBF324000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB75E8000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF04B000 C:\WINDOWS\System32\ati2cqag.dll 245760 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF754F000 C:\WINDOWS\system32\drivers\stac97.sys 245760 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 233472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF74FA000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 200704 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF7252000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF77E0000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 192512 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xF8567000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB8171000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF837B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB69A0000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xBA5FC000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBA6E9000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF84F3000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF72F5000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF752B000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF780F000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF758B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xBA6C7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF84BB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8519000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF8538000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF8361000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF84DB000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xBA54C000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8435000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF732A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB832E000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB698A000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB75AB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7341000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF75AE000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7833000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xBA77D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBA711000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF84A9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8556000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7319000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7965000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8716000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF86E6000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF85D6000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7975000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF8736000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8726000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB77A0000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF87D6000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF85E6000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF85B6000 pkunotih.sys 57344 bytes
0xF8626000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF86F6000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8756000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8606000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB7975000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xB6B0E000 C:\WINDOWS\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF8776000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8646000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF8816000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8706000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF85F6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8766000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF85C6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF87C6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8636000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF8796000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB6B1E000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8616000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8746000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB734F000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF8786000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8806000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7985000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8996000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF888E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF896E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF894E000 C:\DOCUME~1\JOHNRI~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF8986000 C:\WINDOWS\system32\DRIVERS\nscirda.sys 28672 bytes (National Semiconductor Corporation, NSC Fast Infrared Driver.)
0xF8836000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF89BE000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xF889E000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF898E000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF8976000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF897E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8966000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF887E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8886000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF883E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF89AE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF899E000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF89B6000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF89A6000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF88A6000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF89CE000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF8325000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA7B4000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF8A76000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB845C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF89D2000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF89C6000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF89CA000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF8A8E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8331000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xB8155000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF8A5A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8AB2000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8B00000 C:\WINDOWS\system32\DRIVERS\ATKACPI.sys 8192 bytes (-, ATK0100 ACPI Utility)
0xF8B24000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8ABA000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8B76000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B22000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8AB6000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8B26000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B32000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8B28000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8B02000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF8B10000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8B12000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8AB8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C9E000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8C96000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8CF5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8B7F000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF8B7E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe-->NtCreateKey, Type: Inline - RelativeJump 0x8057376F-->F847F214 [mfehidk.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x80597FFA-->F847F228 [mfehidk.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80595C1A-->F847F254 [mfehidk.sys]
ntoskrnl.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x8057AC99-->F847F2AA [mfehidk.sys]
ntoskrnl.exe-->NtOpenKey, Type: Inline - RelativeJump 0x80568F68-->F847F200 [mfehidk.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x80574AA9-->F847F1D8 [mfehidk.sys]
ntoskrnl.exe-->NtOpenThread, Type: Inline - RelativeJump 0x8059323B-->F847F1EC [mfehidk.sys]
ntoskrnl.exe-->NtRenameKey, Type: Inline - RelativeJump 0x8064F526-->F847F23E [mfehidk.sys]
ntoskrnl.exe-->NtSetSecurityObject, Type: Inline - RelativeJump 0x8059D2BD-->F847F280 [mfehidk.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x8057BC5B-->F847F26A [mfehidk.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805839B9-->F847F2D4 [mfehidk.sys]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x8057A81E-->F847F2C0 [mfehidk.sys]
ntoskrnl.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x804F0EB6-->F847F294 [mfehidk.sys]
[1100]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->62419A20 [McProxy.dll]
[1100]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->62419AE2 [McProxy.dll]
[1144]mfevtps.exe-->crypt32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x77A81044-->00407740 [mfevtps.exe]
[1144]mfevtps.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->004077A0 [mfevtps.exe]
[1248]chrome.exe-->kernel32.dll+0x000027D0, Type: Code Mismatch 0x7C8027D0 + 10192 [10 00 AC 83]
[1248]chrome.exe-->kernel32.dll-->CreateNamedPipeW, Type: IAT modification 0x004711D4-->002C0010 [unknown_code_page]
[1248]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
[1248]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [28]
[1248]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 8 [16 00]
[1248]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
[1248]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [A8 01 16 00]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7C90D614-->7B90EC1A [unknown_code_page]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [A8 02 16 00]
[1248]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 6 [68 01 16 00]
[1248]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 6 [68 02 16 00]
[1248]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x7C90D684-->7B90EC8B [unknown_code_page]
[1248]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
[1248]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
[1248]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
[1248]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [28 02 16 00]
[1248]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
[1248]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 6 [68]
[1248]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 8 [16 00]
[1248]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
[1360]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00C90FCD [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00C9005E [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00C90F97 [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00C90FB2 [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00C90FEF [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00C90014 [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00C9002F [unknown_code_page]
[1360]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00C90FDE [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00370000 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00370FE5 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00370011 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->0037002C [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->0037007D [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00370F1C [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00370EF7 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->003700B5 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00370F52 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00370F37 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00370FC0 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00370047 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00370058 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00370FA5 [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00370F7E [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00370F6D [unknown_code_page]
[1360]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->0037009A [unknown_code_page]
[1360]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00380FE5 [unknown_code_page]
[1360]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00380FCA [unknown_code_page]
[1360]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00380000 [unknown_code_page]
[1360]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->0039000A [unknown_code_page]
[1360]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->00390036 [unknown_code_page]
[1360]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998471-->00390051 [unknown_code_page]
[1360]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->0039001B [unknown_code_page]
[1360]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->003A0FEF [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00990051 [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->0099006C [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->0099007D [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00990FCA [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->0099000A [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00990FE5 [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00990036 [unknown_code_page]
[1468]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->0099001B [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00E4000A [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00E40FE5 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00E40025 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00E40040 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00E400BA [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00E40F63 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00E40106 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00E40F52 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00E40F8F [unknown_code_page]
[1468]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00E400E1 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00E4005B [unknown_code_page]
[1468]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00E4007D [unknown_code_page]
[1468]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00E40098 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00E4006C [unknown_code_page]
[1468]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00E400A9 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00E40FB4 [unknown_code_page]
[1468]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00E40F7E [unknown_code_page]
[1468]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00960000 [unknown_code_page]
[1468]services.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00960025 [unknown_code_page]
[1468]services.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00960FEF [unknown_code_page]
[1468]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00970FEF [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00C0002F [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00C00F9E [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00C00F8D [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00C00040 [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00C00000 [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00C00FD4 [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00C00FB9 [unknown_code_page]
[1480]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00C00FEF [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00C10000 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00C10011 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00C10FD1 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00C10FC0 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00C10073 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00C10F1C [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00C10F0B [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00C10EFA [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00C10F52 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00C1009A [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00C10F9B [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00C10F79 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00C10036 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00C10F8A [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00C10047 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00C10058 [unknown_code_page]
[1480]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00C10F37 [unknown_code_page]
[1480]lsass.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00B90FEF [unknown_code_page]
[1480]lsass.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00B9000A [unknown_code_page]
[1480]lsass.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00B90FD4 [unknown_code_page]
[1480]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00BE0FEF [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00FF0FCA [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00FF0F9E [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00FF0F8D [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00FF0FAF [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00FF0000 [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00FF002C [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00FF0FDB [unknown_code_page]
[1656]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00FF001B [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->02510000 [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->02510FE5 [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->0251001B [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->02510FC0 [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->0251007C [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->02510F5B [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->025100FE [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->0251010F [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->02510097 [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->025100BE [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->02510FAF [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->0251003D [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->0251005A [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->0251002C [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->0251006B [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->02510F6C [unknown_code_page]
[1656]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->025100D9 [unknown_code_page]
[1656]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00F30FEF [unknown_code_page]
[1656]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00F30014 [unknown_code_page]
[1656]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00F30FDE [unknown_code_page]
[1656]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00F40000 [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00E3002F [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00E3004A [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00E30F8D [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00E30FA8 [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00E30FEF [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00E30FC3 [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00E3001E [unknown_code_page]
[1764]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00E30FDE [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00E40FEF [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00E4000A [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00E40FCA [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00E40FB9 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00E40F6D [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00E400B3 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00E400D8 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00E400F3 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00E40098 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00E40F46 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00E4002F [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00E40051 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00E40062 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00E40040 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00E40F88 [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00E4007D [unknown_code_page]
[1764]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00E40F35 [unknown_code_page]
[1764]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00E00FE5 [unknown_code_page]
[1764]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00E00000 [unknown_code_page]
[1764]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00E00FD4 [unknown_code_page]
[1764]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00E10FEF [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->02B00FAF [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->02B00F94 [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->02B00051 [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->02B0002C [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->02B00FE5 [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->02B00FD4 [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->02B0001B [unknown_code_page]
[1808]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->02B0000A [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->02B10000 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->02B10FE5 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->02B10FD4 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->02B10025 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->02B1009F [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->02B100CD [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->02B10F34 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->02B100E8 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->02B10F74 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->02B10F63 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->02B10036 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->02B10058 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->02B10F8F [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->02B10047 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->02B10073 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->02B10084 [unknown_code_page]
[1808]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->02B100BC [unknown_code_page]
[1808]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->02750FEF [unknown_code_page]
[1808]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->0275001E [unknown_code_page]
[1808]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->02750FDE [unknown_code_page]
[1808]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->02760000 [unknown_code_page]
[1808]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->0276001B [unknown_code_page]
[1808]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998471-->02760FC0 [unknown_code_page]
[1808]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->02760FE5 [unknown_code_page]
[1808]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->02AE0000 [unknown_code_page]
[1848]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810E27-->00585C0C [mssrch.dll]
[1848]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2C [unknown_code_page]
[1848]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2D [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00CE0FA8 [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00CE0040 [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00CE005B [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00CE002F [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00CE0FEF [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00CE0FB9 [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00CE0014 [unknown_code_page]
[1864]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00CE0FD4 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00CF0000 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00CF0FE5 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00CF001B [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00CF0FCA [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00CF0F63 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00CF0F15 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00CF00B8 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00CF00D3 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00CF0F52 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00CF0F41 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00CF0036 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00CF0F9B [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00CF0F8A [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00CF0047 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00CF0058 [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00CF007D [unknown_code_page]
[1864]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00CF0F30 [unknown_code_page]
[1864]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00D00000 [unknown_code_page]
[1864]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00D00FCA [unknown_code_page]
[1864]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00D00FE5 [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->009B0040 [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->009B0051 [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->009B0F8A [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->009B0FAF [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->009B0FEF [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->009B0FDE [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->009B002F [unknown_code_page]
[1892]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->009B000A [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->009C0FEF [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->009C000A [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->009C001B [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->009C0036 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->009C0089 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->009C0F26 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->009C00C9 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->009C00DA [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->009C0F5C [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->009C0F4B [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->009C0FC0 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->009C0FA5 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->009C0F94 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->009C0047 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->009C006E [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->009C0F79 [unknown_code_page]
[1892]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->009C00AE [unknown_code_page]
[1892]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00980000 [unknown_code_page]
[1892]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00980FC0 [unknown_code_page]
[1892]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00980FDB [unknown_code_page]
[1892]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00990000 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->007E0014 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->007E0F83 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->007E0F72 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->007E002F [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->007E0FEF [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->007E0FC3 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->007E0FA8 [unknown_code_page]
[2040]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->007E0FD4 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->007A0000 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->007A0FE5 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->007A0011 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->007A002C [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->007A0F74 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->007A00D7 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->007A0F48 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->007A00FC [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->007A009F [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->007A00BC [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->007A003D [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->007A0FAC [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->007A0F8F [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->007A004E [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->007A0073 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->007A0084 [unknown_code_page]
[2040]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->007A0F59 [unknown_code_page]
[2040]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->007B000A [unknown_code_page]
[2040]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->007B0FDE [unknown_code_page]
[2040]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->007B0FEF [unknown_code_page]
[2040]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->007C0FE5 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->002A001B [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->002A0040 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->002A0F83 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->002A0F94 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->002A0FE5 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->002A0FB9 [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->002A000A [unknown_code_page]
[2268]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->002A0FD4 [unknown_code_page]
[2268]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->001B0FEF [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->001B0014 [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->001B0FDE [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->001B0FCD [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->001B0074 [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->001B0F2C [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->001B00CF [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->001B00EA [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->001B008F [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->001B00A0 [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->001B0FBC [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->001B0F9A [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->001B0F7F [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->001B0FAB [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->001B0F6E [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->001B0063 [unknown_code_page]
[2268]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->001B0F3D [unknown_code_page]
[2268]explorer.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00090FEF [unknown_code_page]
[2268]explorer.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00090FDE [unknown_code_page]
[2268]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->0009000A [unknown_code_page]
[2268]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D953081-->002D0FEF [unknown_code_page]
[2268]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D956F5A-->002D0011 [unknown_code_page]
[2268]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D998471-->002D0FC0 [unknown_code_page]
[2268]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D9536B1-->002D0000 [unknown_code_page]
[2268]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[2268]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->02B30000 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->002A0FB9 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->002A0FA8 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->002A0F97 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->002A004A [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->002A0FEF [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->002A0014 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->002A0025 [unknown_code_page]
[2848]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->002A0FDE [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->001B0000 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->001B0FEF [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->001B0025 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->001B0040 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->001B0F72 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->001B0F18 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->001B00B1 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->001B00C2 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->001B0F61 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->001B0F44 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->001B0FD4 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->001B0076 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->001B0FB9 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->001B005B [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->001B0FA8 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->001B0F97 [unknown_code_page]
[2848]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->001B0F33 [unknown_code_page]
[2848]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->0009000A [unknown_code_page]
[2848]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00090036 [unknown_code_page]
[2848]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->0009001B [unknown_code_page]
[2848]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00390000 [unknown_code_page]
[3504]chrome.exe-->kernel32.dll+0x000027D0, Type: Code Mismatch 0x7C8027D0 + 10192 [10 00 AC 83]
[3504]chrome.exe-->kernel32.dll-->CreateNamedPipeW, Type: IAT modification 0x004711D4-->002C0010 [unknown_code_page]
[3504]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
[3504]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [28]
[3504]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 8 [16 00]
[3504]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
[3504]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [A8 01 16 00]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7C90D614-->7B90EC1A [unknown_code_page]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [A8 02 16 00]
[3504]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 6 [68 01 16 00]
[3504]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 6 [68 02 16 00]
[3504]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x7C90D684-->7B90EC8B [unknown_code_page]
[3504]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
[3504]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
[3504]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
[3504]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [28 02 16 00]
[3504]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
[3504]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 6 [68]
[3504]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 8 [16 00]
[3504]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
[3760]chrome.exe-->kernel32.dll+0x000027D0, Type: Code Mismatch 0x7C8027D0 + 10192 [10 00 AC 83]
[3760]chrome.exe-->kernel32.dll-->CreateNamedPipeW, Type: IAT modification 0x004711D4-->002C0010 [unknown_code_page]
[3760]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
[3760]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [28]
[3760]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 8 [16 00]
[3760]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
[3760]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [A8 01 16 00]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7C90D614-->7B90EC1A [unknown_code_page]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [A8 02 16 00]
[3760]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 6 [68 01 16 00]
[3760]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 6 [68 02 16 00]
[3760]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x7C90D684-->7B90EC8B [unknown_code_page]
[3760]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
[3760]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
[3760]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
[3760]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [28 02 16 00]
[3760]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
[3760]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 6 [68]
[3760]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 8 [16 00]
[3760]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
[3856]chrome.exe-->mswsock.dll+0x00005A1C, Type: Code Mismatch 0x71A55A1C + 23068 [30 26 5B D6]
[3896]chrome.exe-->mswsock.dll+0x00005A1C, Type: Code Mismatch 0x71A55A1C + 23068 [30 26 5B D6]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Regards

RichmondJohn

#12 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 04 August 2011 - 11:53 PM

Hello RichmondJohn :),

I acted on your recommendation and uninstalled conduit engine and Vuse toolbar - I kept Vuse loaded, is this a major issue?

Vuze is P2P, meaning that you will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

For the error with Rotkit Unhooker, I would say it could be McAfee interfering. No worries, you already obtained the log.

--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to ESET Online Scanner page.
  • Click on Run ESET Online Scanner. A new window will open.
    For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
  • You will be prompted to install an ActiveX Control from ESET. Please install.
  • At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
  • Then, check Scan archives.
  • Now, click on Advanced settings and make sure all these are checked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Scan to proceed.
  • When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
  • Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. ESET online scan result
2. how is the computer behaving?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#13 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 05 August 2011 - 06:57 AM

Hi Jack&Jill

My computer appears to be running fine?

Below is the content of C:\Program Files\ESET\ESET Online Scanner\log.txt:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=d272f7143c3aa546b68f9b22d92bbf65
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-05 09:01:31
# local_time=2011-08-05 07:01:31 (+1000, AUS Eastern Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 7012385 25242248 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=127551
# found=1
# cleaned=0
# scan_time=13378
C:\Program Files\MediaCoder2011-R6-5166.zip Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

Regards

RichmondJohn

#14 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:03:02 AM

Posted 05 August 2011 - 02:00 PM

Hello RichmondJohn :),

Please delete the file detected by the ESET online scan.

My computer appears to be running fine?

That is what I am asking you. Are there still any problems that you are experiencing?

--------------------

Please download SystemLook© by jpshortstuff from one of the links below and save it to your desktop.

Link 1 - 32-bit version
Link 2 - 32-bit version


  • Double click on SystemLook.exe to run it.
  • Copy and paste the following text into the main textfield:
    :file 
    c:\windows\system32\msxml3a.dll
    
  • Click the Look button to start the scan. This might take a while.
  • When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your desktop as SystemLook.txt.

--------------------

Please post back:
1. the answer to my question
2. SystemLook result

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#15 RichmondJohn

RichmondJohn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 05 August 2011 - 10:20 PM

Hi Jack&Jill

There has been no "virus" pop ups and google chrome (internet browser I use) does not freeze when loading so I think my computer is running smoothly compared to when the malware was aggressively active.

A side note: McAfee Internet Security software i have loaded has requested that I restart my computer to install the latest updates to their software - can I do that?

Below is the content of SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 07:23 on 06/08/2011 by JOHN RICHMOND
Administrator - Elevation successful

========== file ==========

c:\windows\system32\msxml3a.dll - File found and opened.
MD5: 5FEFD614BBD3FFA3712B172F70B1FDE2
Created at 01:01 on 14/03/2008
Modified at 00:54 on 08/06/2011
Size: 24576 bytes
Attributes: -------
FileDescription: XML Resources
FileVersion: 8.20.8730.1
ProductVersion: 8.20.8730.1
OriginalFilename: MSXML3A.dll
InternalName: MSXML3A.dll
ProductName: Microsoft Data Access Components
CompanyName: Microsoft Corporation
LegalCopyright: Copyright © Microsoft Corporation. 1981-2000

-= EOF

Regards

RichmondJohn

Edited by RichmondJohn, 06 August 2011 - 04:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users