Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I CAN NOT RUN ANYTHING


  • This topic is locked This topic is locked
206 replies to this topic

#1 Robinae

Robinae

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 21 April 2012 - 01:53 PM

http://www.bleepingcomputer.com/forums/topic450774.html/page__pid__2673009#entry2673009 (Link to previous thread). I think we tried everything. Can someone please read the history and please help me. I'm on day 4 of this and very frustrated that nothing seems to be working. It should be noted that I am downloading programs to cd's from a non infected computer and using them on the infected computer. My computer internet on infected computer worked fine until I completed the uninstall directions issued by BC. When you give me instructions, can you PLEASE state whether I should be in Safe Mode with Networking or Regular Mode. Here is the log for the ONLY thing that worked, the GMER. Thank you very much for anyone that wants a challenge and is willing to help me.



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-21 09:26:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP1604N rev.TM100-24
Running: 9zhhevne.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\uxldrpow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E954C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E954D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E95500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E95556]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E954AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E95484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E95498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E954EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9552C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E95516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E95580]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9556C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E95540]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9E95544 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B9E9555A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B9E95570 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6114 5 Bytes JMP B9E95530 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C13F8 5 Bytes JMP B9E95488 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1684 5 Bytes JMP B9E9549C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B9E95584 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B9E9551A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B9E954EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B9E954C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B9E954D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B9E95504 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B9E954B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8CA4360, 0x32E00D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50093
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F9E
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B5006C
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F6D
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B500BF
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F41
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50F5C
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50F26
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B500A4
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FC0
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B500DA
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B40FAF
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B4006C
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30FA4
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B3002F
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FC6
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FB5
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30FD7
.text C:\WINDOWS\system32\services.exe[956] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[956] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090F77
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090076
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0109005B
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090F9E
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0109002F
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0109009D
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090F55
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F29
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010900C2
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010900D3
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0109004A
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01090F66
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FC3
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090FD4
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01090F44
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0108001E
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080F8D
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01080FC3
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01080FDE
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0108004A
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01080039
.text C:\WINDOWS\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01080FB2
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01070F6E
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070F7F
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01070FAB
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01070FE3
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01070F9A
.text C:\WINDOWS\system32\services.exe[956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01070FD2
.text C:\WINDOWS\system32\services.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\lsass.exe[968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\lsass.exe[968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\lsass.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B7005D
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B7004C
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70F72
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B7002F
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B7009A
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B70089
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B70F0B
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70F1C
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B700BF
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B70078
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B70FCD
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B70F37
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60025
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B60F9E
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D6, 88]
.text C:\WINDOWS\system32\lsass.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60040
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50FAD
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FC8
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B5001D
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50038
.text C:\WINDOWS\system32\lsass.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\lsass.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F81
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60076
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F4B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60087
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600AE
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F15
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600C9
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F66
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60025
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60F26
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50073
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50062
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B50051
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50FC0
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40055
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40044
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40029
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F66
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F83
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10082
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F3A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100D3
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100B8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C100EE
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10F94
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C1009D
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0001B
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00051
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00036
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00FAF
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0069
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0044
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0033
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0018
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630FC0
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00740F79
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0074006E
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00740F94
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00740051
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00740FAF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00740089
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00740F41
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007400DA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007400BF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007400FF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00740036
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00740F68
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00740FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0074001B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007400A4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FC0
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F94
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FB0
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065003B
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FC1
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650020
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FD2
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009001B
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F62
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B004D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F73
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F9A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FBC
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B008D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F3B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00C0
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00AF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F0C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FAB
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0072
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B009E
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0091
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0025
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0076
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A005B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A004A
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0011
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0F86
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FB5
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0000
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FC6
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 012B0000
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 012B0025
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 012B0036
.text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00990FCA
.text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F5F
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0054
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F70
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F16
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F3D
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0EFB
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0094
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00AF
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F4E
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0079
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0F5E
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0F94
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BC, 88]
.text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0053
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0038
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B0027
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B0FC8
.text C:\WINDOWS\system32\svchost.exe[1336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B000C
.text C:\WINDOWS\system32\svchost.exe[1336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04B90000
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04B90FCA
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04B90FE5
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04DC000A
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04DC0F55
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04DC004A
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04DC0F66
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04DC0025
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04DC0F94
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04DC0F0C
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04DC0F29
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04DC0ED6
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04DC0EF1
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04DC0EC5
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04DC0F83
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04DC0FEF
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04DC0F44
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04DC0FB9
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04DC0FCA
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04DC0065
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04DB0FCA
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04DB0062
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04DB001B
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04DB0FEF
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04DB0051
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04DB0000
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04DB0036
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04DB0FAF
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04BC0FD4
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!system 77C293C7 5 Bytes JMP 04BC0055
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04BC003A
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04BC000C
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04BC0FEF
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04BC0029
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 04BA0FEF
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 04BA0000
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 04BA0011
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 04BA0022
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC006C
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F81
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC005B
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0F9E
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC00A2
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F5A
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC0F13
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F2E
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0EF8
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0087
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0025
.text C:\WINDOWS\system32\svchost.exe[1912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F3F
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB002C
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB007D
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0FC0
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AB0058
.text C:\WINDOWS\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB003D
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0093005F
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!system 77C293C7 5 Bytes JMP 0093004E
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930033
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[1912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1912] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1912] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1912] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1912] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920FEF
.text C:\program files\real\realplayer\update\realsched.exe[2284] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 25 April 2012 - 05:37 PM

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 25 April 2012 - 08:03 PM

Hi 1972vet1 Thank you so much for helping me! I did disable the anti-virus through McAfee. When I attempted to go into the Control panel on infected computer to disable any Windows Firewalls (Windows XP), it would not allow me to. It stated "Windows Firewall settings can not be displayed because the associated service is not running. Do you want to start the Windows Firewall Internet Connection Sharing (ICS) Service?" I clicked on No. (At this time the internet connection on infected computer will not connect, it constantly says (no add-ons)on Explorer and "Aquiring Network Address". I did do a file search for Windows Defender and nothing came up.

But I did disable the McAfee. I then used a non-infected computer to download combo fix to cd. Installed it to infected computer. During the process of Combo-Fix preparing to run on blue screen 'Attempting to create a new System Restore point', this message comes up: the system cannot find the file NIRKMD in the blue screen. A Windows box is also open that states "Windows cannot find 'NIRKMD'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search". I clicked "ok", but the box reappeared.

Suggestions please? i will await with the computer in this state before doing anything.

Thank you in advance for your help and quick reply...I thought I wasn't going to find anyone that could help me.

Robin

Edited by Robinae, 25 April 2012 - 08:06 PM.


#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 25 April 2012 - 09:03 PM

Please try running it in safe mode. Let me know if you get the same results...and let me know if you have the Windows installation media handy. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 25 April 2012 - 10:02 PM

Oh thank you for replying tonight while I was stuck :) While I can not find a Windows XP disc in my computer paperwork (it's quite old), I did find the 2 Recovery Disks. Will that work for what you are loooking for? I'm really hoping this SMART HDD rogue will not make me lose my valuable documents. I'll try the Combo fix now in safe mode and post results. Thank you again so much in all ways!

P.S. Upon Restarting the computer, I do have a "System Recovery" option on my blue HP screen if I hit F10. Is that helpful?

Edited by Robinae, 25 April 2012 - 10:16 PM.


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 26 April 2012 - 09:54 AM

Oh thank you for replying tonight while I was stuck :) While I can not find a Windows XP disc in my computer paperwork (it's quite old), I did find the 2 Recovery Disks. Will that work for what you are loooking for?
Not exactly but it's at least good to know you have them. They could come in handy, we'll see.
I'm really hoping this SMART HDD rogue will not make me lose my valuable documents. I'll try the Combo fix now in safe mode and post results. Thank you again so much in all ways!

P.S. Upon Restarting the computer, I do have a "System Recovery" option on my blue HP screen if I hit F10. Is that helpful?

The system recovery you're talking about is an image of the system as it was when it came from the factory...which is why, I would guess, you may not have been given an actual installation CD from the manufacturer. It's my opinion that type of thing shouldn't be legal. After all, everyone else in the known civilized world is expected to have the software installation media for anything installed on a PC. At least, that's the way it is according to every copyright infringement case that I'm familiar with. Even HP, years ago, got stung in a class action suit because they weren't shipping installation media along with their systems.

Somehow, over the years, these vendors have been able to skirt the law by including an image file on the hard disk which tells volumes about what Congress folks (who make the laws) know about the computing world. If a hard disk fails, that image file is about as useful as an ash try on a motorcycle.

Anyway...do you have the scan log yet? Please post it. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 April 2012 - 11:07 AM

Hi 1972vet! Boy am I glad to hear from you! I'm so ready to get my computer back. I've been dealing with this issue for like 8 days now and I can't get anything done without my beloved PC. This has taught me a valuable lesson that if I (well actually you) get this back up and running. I will back up to an external and purchase a new computer (I know this one is considered ancient at 7 years old in the computer world).

Ok, I tried to run Combo Fix in Safe Mode with Networking. This screen came up: "Combo Fix - Zero Access. You are infected with Rootket.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed,, run ComboFix one more time". (Well I already cant get on internet thru sick computer). I did not click OK, but the box went away on it's own.

Then it starts going and then this comes up: "rootkit is detected. Be patient this may take some time". I did NOT click Ok, but this box never went away, so I figured I better click OK for it to start as I noticed my clock did stop. The curser just blinked with nothing happening. it just said in the blue screen: "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected malware may easily double. After 2 hours, I retried again, but again, it stuck at the same spot. Never even got to Stage 1. Left it llike that all night. The combofix screen is stuck on, will not close.

Ugh...is there any hope at all?

May I ask please a question? When I followed all of the Uninstall instructions from BC for this Smart HDD, I had internet. I ran the RKill, the TDSSKiller, the Malware Bytes, and the Unhide.exe while in Safe Mode with Networking because I was scared to do any harm. After that is when I lost internet. I ran it in safe mode for the Administrator and my User Account (I guess I'm both but only use my User Account). Should I have done that in Regular Mode? Because I didn't. Those programs though did find things and quarantined and cured. There was one that it couldn't cure so I had to skip, but don't remember what it was called.

Any ideas? I'm not using any programs in this computer, although I can see them. I'm using separate computer for everything until sick malware is eradicated. I can still see the SMART HDD icon on my sick computer.

Thank you so much and please stay with me today if you can so I can be rid of this that is driving me insane. People should go to jail for doing this to others who just visit a website that McAfee live and google said were safe!

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 26 April 2012 - 01:10 PM

Normal or safe mode is fine, but if you can't run it in normal mode, then just safe mode is preferred unless I specifically ask you to use safe mode with networking. Now, it seems that combofix was working until you lost patience after two hours. Is that correct? Please try this again, disabling any on board protective software then run combofix. Leave it alone while combofix does it's thing. It can take longer than two hours. I actually had a user who said it ran for 11 hours before it rebooted the machine, and that was a successful endeavor.

Post back the log that results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 April 2012 - 01:52 PM

Hi and thank you. Yes, the first run of Combo Fix I thought it was not running after 2 hours because it stated it should take about 10 minutes. The second time I ran ComboFix, I let it run from 12:56 am last night until 1:00pm today...12 hours. I then clicked on the "x" to close the window but it didn't close and is still just sitting there without a curser but my mouse curser has an hour glass on it. My clock still says 12:56 am from last night. Should I just let it sit here or do I go back and restart Combofix with a little _ curser line underneath the word "However"?

I'd prefer to restart computer in Safe Mode as you prefer and try to run again.(It wouldn't work in Normal, and is in Safe with Networking now).

Also, did my best to disable McAfee, but cant get to my Firewall settings in Control Panel because it will not allow me to go there.

Thank you so much.

Edited by Robinae, 26 April 2012 - 01:59 PM.


#10 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 April 2012 - 02:32 PM

Hi Sorry. Since it never made it to Stage 1 out of 50 (according to directions) in 12 hours, I'm going to reboot in Safe Mode and then run ComboFix and let it do it's thing. However, I must note that it did not go through the making of a Recovery Console, so I am assuming that I already have one. It went straight from Backing up the Windows Registry to the page of starting the scan. The instructions say not to click on anything in the window, does this include the box that comes up that says: "rootkit is detected. Be patient this may take some time"? This box wants me to click "OK", but I don't know if you want me to or not. The instructions do not address that.

Thanks again.

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 26 April 2012 - 05:25 PM

The idea is, don't just willy nilly mouse around while Combofix is running. People get fidgety and just want to start clicking the mouse during such a scan but it's not recommended since it can indeed cause combofix to stall. However, if combofix presents you with a question with a click box for yes or no, then you can either click yes or no like it is asking, or sit there staring for all eternity lol...

So, when you click yes and it goes on, please wait then for it to complete, then post the log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 April 2012 - 05:44 PM

Thanks 1972 Vet! I did restart it in Safe Mode as you prefer about 3 hours ago. I did click "OK" on the box. Have not touched the computer since. I have a the box open that says Auto Scan and a blinking yellow cursor. Have not reached Stage 1 yet, but am hopeful the program is running. Funny thing..this time around, my clock is staying current and not stopping! As soon as I get a log, I'll be so very happy to post it for you! Please check on me before you head off to dreamland tonight :)

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 26 April 2012 - 06:12 PM

I see...ok, stop it and restart the system. Boot back to safe mode and rename combox to Robin.exe. Still, while in safe mode, double-click on it. Post back and let me know what happens. If you still have difficulty getting it to run, I'd like to try something else. Lemme know. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 Robinae

Robinae
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 April 2012 - 07:10 PM

When I renamed the combofix, it refused to run. I deleted it when prompted. I put a blank disc in the laptop and re-downloaded under Robin.exe. I then put on desktop of infected under Robin.exe and have now started running it. I'm still getting both messages-first being infectd with Rootkit.ZeroAccess and the second about Rootkit being detected and it could take up to 20 mins to run on badly infected machines. I have clicked "OK" as it asks and am now at the screen with the yellow cursor. Crossing my fingers it will run and that I will soon see Stages come on screen. How long would you like me to give it to run? Thank you............

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:49 PM

Posted 26 April 2012 - 08:09 PM

Has it gone through any stages yet?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users