Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spyware.Zbot.out infection of my WinXP laptop


  • This topic is locked This topic is locked
23 replies to this topic

#1 ricknorth

ricknorth

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 23 July 2012 - 04:11 PM

Please help, you good Samaratins at BC! My Dell Inspiron E1505 laptop running WinXP SP3 started running slow and I ran MBAM (full scan, not quick scan), it found 3 infected files it described as Spyware.Zbot.out virus, all (apparently) Dreamweaver 8 files. I allowed it to quarantine, delete, and rebooted immediately. Then before doing anything else, I re-ran MBAM again and it found 3 new infected files with the same virus. This time the files were (apparently) system restore files. So I ran MBAM yet again, and this time it did not find anything. I can't tell if the computer is running significantly faster, but it might be running a little faster. I have sensitive financial info on the machine and so want to have more confidence that this bug is really gone. I don't have a good guess where it came from, which is also worrying.
Note I've got McAfee VSE running on this machine, which is nominally owned by the college that employs me, and I cannot get it off, and yeah I know it's a hog and a pain for all - it no doubt slows my machine some and is never seems to catch anything (e.g. this infection).

Here is the DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Cabrillo College at 13:41:46 on 2012-07-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.606 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre7\bin\java.exe
C:\Program Files\Java\jre7\bin\java.exe
C:\WINDOWS\system32\ntvdm.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cabrillo.edu/~rnolthenius/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170703230359
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{CF5A31A0-9244-4A98-A364-568C67FF9BFF} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cabrillo college\application data\mozilla\firefox\profiles\sdugaw7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-4-14 344712]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-10-22 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2011-4-14 99328]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-10-22 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-31 69192]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-5-24 44416]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-14 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-14 43192]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S2 sbigudrv;sbigudrv;c:\windows\system32\drivers\sbigudrv.sys [2008-3-15 12800]
S2 SBIGULDR;SBIG USB Loader (sbiguldr.sys);c:\windows\system32\drivers\sbiguldr.sys [2011-4-14 31232]
S2 SBIGUSBE;SBIG USB Driver (sbigusbe.sys);c:\windows\system32\drivers\sbigusbe.sys [2011-4-14 13824]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]
S3 FastLynx;FastLynx;c:\program files\fastlynx\FastLynx.sys [2002-12-27 2987]
S3 FXUSB;FastLynx USB 2.0 Bridge Cable Driver;c:\windows\system32\drivers\FxUsb.sys [2011-4-14 14080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-14 66536]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-07-12 03:50:59 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 03:50:58 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-08 17:08:33 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 13:42:48.21 ===============


I notice that in other help sessions on BC, some helpers say to not run or attach anything unless specifically instructed, so I will wait before running GMER mentioned in your standard instructions log.

Thank you for helping me look into the nooks/crannies of my machine to see if this smutz is still lurking somewhere!

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 28 July 2012 - 04:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462127 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 29 July 2012 - 01:53 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 29 July 2012 - 06:06 PM

Hi Gringo,
Thank you! OK, first I"m going to follow the instructions of HelpBot. Here is a new DDS file and zip attach file, and GMER log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Cabrillo College at 15:14:16 on 2012-07-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1373 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cabrillo.edu/~rnolthenius/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170703230359
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{CF5A31A0-9244-4A98-A364-568C67FF9BFF} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cabrillo college\application data\mozilla\firefox\profiles\sdugaw7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-4-14 344712]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-10-22 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2011-4-14 99328]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-10-22 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-31 69192]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-5-24 44416]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-14 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-14 43192]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S2 sbigudrv;sbigudrv;c:\windows\system32\drivers\sbigudrv.sys [2008-3-15 12800]
S2 SBIGULDR;SBIG USB Loader (sbiguldr.sys);c:\windows\system32\drivers\sbiguldr.sys [2011-4-14 31232]
S2 SBIGUSBE;SBIG USB Driver (sbigusbe.sys);c:\windows\system32\drivers\sbigusbe.sys [2011-4-14 13824]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]
S3 FastLynx;FastLynx;c:\program files\fastlynx\FastLynx.sys [2002-12-27 2987]
S3 FXUSB;FastLynx USB 2.0 Bridge Cable Driver;c:\windows\system32\drivers\FxUsb.sys [2011-4-14 14080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-14 66536]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2012-07-27 06:50:51 9821896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-07-27 06:51:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-27 06:51:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-08 17:08:33 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 15:17:42.13 ===============
Here is the GMER Log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-29 14:40:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC74P
Running: g5n4nyqi.exe; Driver: C:\DOCUME~1\CABRIL~1\LOCALS~1\Temp\aglcipob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DA79A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9DA7940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9DA7954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DA79BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DA79E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9DA7A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9DA7A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9DA7A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DA7AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9DA7A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DA7992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DA7904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DA7918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9DA7AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9DA7A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9DA7A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DA79D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9DA7ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9DA7AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9DA797E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9DA796A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DA79FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DA7B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9DA7A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DA7B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DA7AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B1C 7 Bytes JMP B9DA7AEC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2042 7 Bytes JMP B9DA7B02 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E50 5 Bytes JMP B9DA7B18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB456 5 Bytes JMP B9DA7908 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6E2 5 Bytes JMP B9DA791C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDEA0 5 Bytes JMP B9DA796E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP B9DA7958 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1250 5 Bytes JMP B9DA7944 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D22D8 5 Bytes JMP B9DA7B31 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D2C1A 5 Bytes JMP B9DA7982 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806221FA 7 Bytes JMP B9DA7A16 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622548 7 Bytes JMP B9DA7A00 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622872 7 Bytes JMP B9DA7A84 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80623124 7 Bytes JMP B9DA7A2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806239F8 7 Bytes JMP B9DA79D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623FD6 5 Bytes JMP B9DA79AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80624472 7 Bytes JMP B9DA79BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80624642 3 Bytes JMP B9DA79EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey + 4 80624646 3 Bytes [39, 90, 90]
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624822 7 Bytes JMP B9DA7A58 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624A8C 7 Bytes JMP B9DA7A42 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806253B4 5 Bytes JMP B9DA7996 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 806256F6 7 Bytes JMP B9DA7AD6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806259B6 5 Bytes JMP B9DA7AAE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 80625E06 7 Bytes JMP B9DA7A6E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806260AA 5 Bytes JMP B9DA7AC2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806261C4 5 Bytes JMP B9DA7A9A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? witghru.sys The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0151000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0151002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01510FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01500FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0150007F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0150006E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01500F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01500FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01500040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015000B5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01500F79
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015000E1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015000D0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01500F23
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01500051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0150000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0150009A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01500025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01500FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01500F52
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014F0FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014F004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014F0FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014F0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014F002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014F0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014F0F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6F, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014F0014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_wsystem 77C2931E 3 Bytes JMP 014E007F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_wsystem + 4 77C29322 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!system 77C293C7 3 Bytes JMP 014E0064
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!system + 4 77C293CB 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_creat 77C2D40F 3 Bytes JMP 014E0038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_creat + 4 77C2D413 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014E000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_wcreat 77C2FC9B 3 Bytes JMP 014E0049
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_wcreat + 4 77C2FC9F 1 Byte [89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014E001D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014D0000
.text C:\WINDOWS\system32\svchost.exe[760] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[760] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[760] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50F99
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50084
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50FB6
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50073
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50047
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F5C
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F6D
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F26
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C500BF
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F15
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50058
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F7E
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F4B
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FC3
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4005E
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40043
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40FA1
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40FB2
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C3007A
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3003A
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C3000C
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C3004B
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3001D
.text C:\WINDOWS\system32\svchost.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0014
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0089
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0078
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00C6
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC00AB
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F3E
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F59
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F2D
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC009A
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00D7
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0076
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0065
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FAB
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FBC
.text C:\WINDOWS\system32\svchost.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0000
.text C:\WINDOWS\Explorer.EXE[848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02380FEF
.text C:\WINDOWS\Explorer.EXE[848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02380FC3
.text C:\WINDOWS\Explorer.EXE[848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02380FD4
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01BF0000
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01BF003B
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01BF0F46
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01BF0F61
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01BF0F72
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01BF0FA8
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01BF0F0B
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01BF005D
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01BF0EC4
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01BF0EE9
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01BF0082
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01BF0F83
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01BF0FE5
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01BF004C
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01BF0FC3
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01BF0FD4
.text C:\WINDOWS\Explorer.EXE[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01BF0EFA
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 019E001B
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 019E0047
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 019E0FD4
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 019E000A
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 019E0F8A
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 019E0FEF
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 019E002C
.text C:\WINDOWS\Explorer.EXE[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 019E0FAF
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019D0F92
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 019D0FA3
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019D000C
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019D0FE3
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019D001D
.text C:\WINDOWS\Explorer.EXE[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019D0FD2
.text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00C30000
.text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00C30011
.text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\Explorer.EXE[848] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\Explorer.EXE[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 011D000A
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 011D002F
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011D0FEF
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011C0093
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011C0078
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011C005B
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011C004A
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011C002F
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011C00A4
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011C0F68
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011C0F37
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011C00D0
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011C00EB
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011C0FA8
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011C0FD4
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011C0F83
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011C0FB9
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011C000A
.text C:\WINDOWS\system32\services.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011C00BF
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011B0040
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011B0098
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011B002F
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011B007D
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011B006C
.text C:\WINDOWS\system32\services.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011B0051
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011A0FB7
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 011A0FD2
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011A0FE3
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011A0042
.text C:\WINDOWS\system32\services.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011A001D
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40062
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F6D
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FAF
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F26
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F37
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40EFA
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F0B
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40EE9
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F52
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40089
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30065
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20F90
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FA1
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FC6
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FD7
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA006F
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0054
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F70
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F38
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F55
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00B6
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA009B
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00D1
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0080
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F1D
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90080
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90065
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B9004A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80FCF
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80064
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B8002E
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B8003F
.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E3004C
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F61
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E3003B
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E3001E
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30F97
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F26
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30078
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E3009D
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30EFA
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E30EE9
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30F7C
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E30067
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E30F15
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20073
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20058
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20FB6
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E2003D
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10051
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E10FC6
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E1001B
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E1002C
.text C:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10FE3
.text C:\WINDOWS\system32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00000
.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02E60000
.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02E60FEF
.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02E60025
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E50FEF
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E50F5A
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E50F75
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E50043
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E50F86
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E50F97
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E50F29
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E5007B
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E50EF3
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E50F04
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E500A7
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E5001E
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E50FDE
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E5006A
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E50FB2
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E50FCD
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E5008C
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02E40FD1
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02E40051
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02E40022
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02E40011
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02E40F94
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02E40000
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02E40FA5
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 8B] {ADD AL, 0x8b}
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02E40FB6
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02E30FA1
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 02E30FB2
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02E30FDE
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02E30000
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02E30FCD
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02E30FEF
.text C:\WINDOWS\System32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E20000
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 02B1000A
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 02B1001B
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 02B1002C
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 02B1003D
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007C0022
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C0011
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0073
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F74
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F91
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B004E
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00A9
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B008E
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F24
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F35
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00CE
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B003D
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F63
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F46
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A002F
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A008A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A005B
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A004A
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790053
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790FD2
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079001D
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790042
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0079000C
.text C:\WINDOWS\system32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F47
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F58
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F75
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00F86
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A0001E
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00074
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00057
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00EFD
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00096
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00EEC
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00FA1
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F36
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FBC
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FCD
.text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00085
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FBC
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F006F
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FCD
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F005E
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0043
.text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0028
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0FA8
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0033
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0022
.text C:\WINDOWS\system32\svchost.exe[1584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FDE
.text C:\WINDOWS\system32\svchost.exe[1584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text C:\Program Files\Mozilla Firefox\firefox.exe[1616] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0116B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1616] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0141B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1616] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0141B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1616] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0141B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F41
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20040
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F72
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F8D
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20EF8
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F13
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20EC5
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C20ED6
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20083
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F30
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20EE7
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10F94
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10FAF
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00044
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00033
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00018
.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90FB4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E900B3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E900A2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90087
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E9010B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900F0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F61
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E9001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E900C4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900DF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8004E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E8003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E8002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E7002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\dllhost.exe[3836] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\dllhost.exe[3836] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\dllhost.exe[3836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F79
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00A4
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DA
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F41
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00F5
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F68
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[3836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00B5
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0049
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FBE
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A002E
.text C:\WINDOWS\system32\dllhost.exe[3836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0FA1
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FCD
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\dllhost.exe[3836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\dllhost.exe[3836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Here is the results of SecurityCheck

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.0
Java™ 7 Update 4
Java version out of Date!
Adobe Flash Player 11.3.300.268
Adobe Reader X (10.1.3)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
McAfee VirusScan Enterprise EngineServer.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise SHSTAT.EXE
McAfee VirusScan Enterprise Mcshield.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 19% Defragment your hard drive soon!
````````````````````End of Log``````````````````````
Attached File  attach.ZIP   4.88KB   1 downloads

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 29 July 2012 - 08:17 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 30 July 2012 - 07:52 PM

Hi Gringo,
Reading up on Combofix, I am wondering if I should run it in 'safe mode'. My computer is running slower, and one symptom is that the mouse cursor doesn't move smoothly as I pan around a page, but goes in jumps. Do you recommend I run it in 'safe mode' to reduce the odds of a BSOD or loss of material on my HDD?

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 30 July 2012 - 10:36 PM

The virus that we have been going up against lately is better removed in normal mode



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 02 August 2012 - 11:26 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 02 August 2012 - 11:44 PM

Hi Gringo,
I'm still having trouble. I was about to post when I got your post; turns out my laptop's CD drive won't burn DVD's and I need DVD's to back up my critical files. I don't want to use my external HDD because I'm worried it'll get infected too. I'm going to drive to Silicon Valley to get one tomorrow or Saturday. And then I'll take a deep breath and run combofix. I had an infection a year or two ago and a combofix run went badly and it took heroic efforts to get it back from the brink. So, I'm concerned. I really need to make sure I don't lose my machine; it's pretty critical to my work. If you could give me a few more days and I'll post again when I've got a backup done and run combofix.

Here's another symptom that I notice. I normally 'hibernate' when I'm done working. Hibernate's used to take less than a minute to finish up. Now they're several minutes before it finally closes up. This is true even after I use my 'clear cache' in Firefox.

thank you,

Rick

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 02 August 2012 - 11:57 PM

OK no problem and I will be around



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 05 August 2012 - 11:23 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 06 August 2012 - 01:15 AM

Hi Gringo,
My new external DVD writer will arrive Tuesday, and I'll back up all my important files at that time, run Combofix with fingers crossed, and get right back to you. Thank you. And, my machine is still taking 4 minutes or more to hibernate (vs about 30 seconds in the old days).

Rick

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 06 August 2012 - 02:40 AM

thank you for letting me know



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 ricknorth

ricknorth
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 08 August 2012 - 01:03 AM

Hi Gringo,
Thank you for your patience! Got my DVD burner from FedEx, spent all afternoon trying to get it to work with various software (Nero 10 I was not able to get working), settling on some freeware - DVDburn - which, with some experimenting and guessing, was able to back up 4GB of files I couldn't afford to lose. Then shut off McAfee VSE, downloaded the latest ComboFix, and ran it. It didn't ask for recovery console, and didn't take that much longer than the advertised 10 minutes. The log is below. I don't notice anything particularly wrong with my machine after ComboFix. It did delete some files and a folder.

Did it find malware? Do I need to re-change all my passwords etc.?

ComboFix 12-08-07.05 - Cabrillo College 08/07/2012 22:24:39.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1435 [GMT -7:00]
Running from: c:\documents and settings\Cabrillo College\Desktop\bugs\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-07 23:03 . 2009-10-16 17:42 19096 ----a-w- c:\windows\system32\drivers\InCDRec.sys
2012-08-07 23:03 . 2009-10-16 17:43 130200 ----a-w- c:\windows\system32\drivers\InCDFs.sys
2012-08-07 23:03 . 2009-10-16 17:42 48280 ----a-w- c:\windows\system32\drivers\InCDPass.sys
2012-08-07 23:02 . 2012-08-07 23:02 -------- d-----w- c:\program files\Nero
2012-08-07 22:53 . 2012-08-07 22:53 -------- d-----w- c:\program files\Microsoft Silverlight
2012-08-07 22:51 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2012-08-07 22:51 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2012-08-07 22:50 . 2012-08-07 22:50 -------- d-----w- c:\windows\Logs
2012-08-01 04:44 . 2012-08-01 07:41 -------- d-----w- c:\program files\CDburner
2012-07-27 06:50 . 2012-07-27 06:50 9821896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 06:51 . 2012-04-06 02:06 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-27 06:51 . 2011-05-25 07:14 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 20:46 . 2011-04-01 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2005-08-16 10:18 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-10-30 04:28 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2005-08-16 10:18 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2005-08-16 10:18 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19 . 2011-04-14 08:48 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2011-04-14 08:48 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2005-08-16 10:40 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2005-08-16 10:40 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2005-08-16 10:40 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2011-04-14 08:48 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2005-08-16 10:40 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2005-08-16 10:40 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2005-08-16 10:18 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2011-04-14 08:48 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2005-08-16 10:40 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2005-08-16 10:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2011-04-14 08:47 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18 . 2011-04-14 08:47 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2011-04-14 08:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2005-08-16 10:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2011-04-14 08:47 385024 ------w- c:\windows\system32\html.iec
2012-07-17 17:22 . 2012-02-19 07:46 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-10-23 04:07 . 2011-02-01 01:30 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2009-10-16 17:44 97072 ----a-w- c:\program files\Nero\Tools\InCD\NBHshx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-26 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NBHGui"="c:\program files\Nero\Tools\InCD\NBHGui.exe" [2009-10-16 1600816]
"InCD"="c:\program files\Nero\Tools\InCD\InCD.exe" [2009-10-16 1060136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-17 24576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\java.exe"=
.
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [10/22/2010 9:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/31/2011 6:30 PM 69192]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Tools\InCD\NBHRegInCDSrv.exe [10/16/2009 10:44 AM 53560]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [5/24/2011 2:03 PM 44416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 10:32 PM 136176]
S2 sbigudrv;sbigudrv;c:\windows\system32\drivers\sbigudrv.sys [3/15/2008 12:47 AM 12800]
S2 SBIGULDR;SBIG USB Loader (sbiguldr.sys);c:\windows\system32\drivers\sbiguldr.sys [4/14/2011 1:48 AM 31232]
S2 SBIGUSBE;SBIG USB Driver (sbigusbe.sys);c:\windows\system32\drivers\sbigusbe.sys [4/14/2011 1:48 AM 13824]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 7:06 PM 250056]
S3 FastLynx;FastLynx;c:\program files\FastLynx\FastLynx.sys [12/27/2002 3:06 PM 2987]
S3 FXUSB;FastLynx USB 2.0 Bridge Cable Driver;c:\windows\system32\drivers\FxUsb.sys [4/14/2011 1:48 AM 14080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2010 10:32 PM 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/14/2011 1:48 AM 66536]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 10:46 PM 113120]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 06:51]
.
2012-08-02 c:\windows\Tasks\AdobeAAMUpdater-1.0-RINOLTHE-NOTE-Cabrillo College.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-10-06 10:44]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 05:32]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 05:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cabrillo.edu/~rnolthenius/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B5F38913-1403-4EEB-B61A-13CC838352CE}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Cabrillo College\Application Data\Mozilla\Firefox\Profiles\sdugaw7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://bigcharts.marketwatch.com/advchart/frames/frames.asp?symb=ndx&insttype=&time=7&freq=1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-07 22:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-07 22:39:49
ComboFix-quarantined-files.txt 2012-08-08 05:39
ComboFix2.txt 2012-02-17 07:51
.
Pre-Run: 62,288,216,064 bytes free
Post-Run: 63,515,226,112 bytes free
.
- - End Of File - - DE83A34866B382B66CC8013F8BB37B7A

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:33 AM

Posted 08 August 2012 - 09:12 AM

Greetings ricknorth

Glad To see you back!!

Did it find malware? Do I need to re-change all my passwords etc.?

It found something but still hard to know what it is at this point - one of the things I advice anyway - anytime you get something on the computer just to be on the safe side i would change my passwords just to be sure and safe.

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users