PDA

View Full Version : javascript:clickRefresh()



Clare Hollands
2010-07-14, 23:11
Hello, I hope you can help... When I open Internet Explorer, it keeps opening new pages with javascript:clickRefresh() in the address box. I'm not sure if it's because I have a virus. I have Mcafee antivirus, but it won't update.

I've downloaded DDS and the two logs you asked for follow -

DDS (Ver_10-03-17.01) - NTFSx86
Run by Clarey at 21:53:56.48 on 14/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.296 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Bhohub.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Clarey\LOCALS~1\Temp\Bpr.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Clarey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100512194842.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [EWABQAF7KL] c:\docume~1\clarey\locals~1\temp\Bpr.exe
uRun: [AdVantage] c:\documents and settings\clarey\application data\advantage\AdVantage.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\clarey\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.67,93.188.161.207
TCP: {00E8CC0B-9FBC-4441-B887-3DD9F380F00B} = 93.188.162.67,93.188.161.207
TCP: {31181E19-FED8-492B-94AA-9FE1C6548ED9} = 93.188.162.67,93.188.161.207
TCP: {C12DA6BB-96CD-439B-A8A8-AA2995CF37E6} = 93.188.162.67,93.188.161.207
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-27 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-30 54776]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-27 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2009-8-27 31248]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-8-27 14336]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-27 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-27 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-8-27 238464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-27 40552]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2009-8-27 1448080]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

=============== Created Last 30 ================

2010-07-09 11:47:07 175104 ----a-w- c:\windows\Bhohub.exe
2010-07-08 19:39:03 0 d-----w- c:\docume~1\clarey\applic~1\advantage
2010-07-08 19:17:50 175104 ----a-w- c:\windows\Bhohua.exe
2010-07-01 06:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-07-01 06:13:25 0 d-----w- c:\program files\Room on the Broom

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-12-25 15:32:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-27 18:26:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 05:38:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat

============= FINISH: 21:55:46.26 ===============

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/12/2009 05:41:46
System Uptime: 14/07/2010 16:38:42 (5 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 56.351 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 69.28 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 09/07/2010 12:46:05 - System Checkpoint
RP2: 14/07/2010 20:55:37 - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros WLAN Client
Bonjour
Easy Display Manager
Easy Network Manager
ERUNT 1.1j
Google Toolbar for Internet Explorer
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Magic Keyboard
Marvell Miniport Driver
McAfee Internet Security
McAfee Online Backup
McAfee Security Scan Plus
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
Nero 8 Essentials
Play Camera
QuickTime
Realtek High Definition Audio Driver
Room on the Broom (remove only)
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
VCRedistSetup
WebCam SCB-1800D
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Media Format Runtime
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

09/07/2010 21:35:13, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
09/07/2010 12:47:38, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
09/07/2010 12:47:38, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

JonTom
2010-07-20, 01:00
Hello Clare Hollands and :welcome:

My name is JonTom.

Malware Logs can sometimes take a lot of time to research and interpret.

Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

PLEASE NOTE: If you do not reply after 5 days your thread will be closed.



As it has been a few days since you posted, please perform a new DDS scan and work you way through the steps below. If you encounter any difficulties come back and let me know.


Please scan your system with GMER


http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please post the DDS logs and the GMER log in your next reply.

JonTom
2010-07-23, 08:28
Do you still need help?

Clare Hollands
2010-07-25, 16:30
Hi,

Thanks for the response; I've tried to run GMER several times but it's either caused a blue-screen restart, or made the computer stop working.

I've created new DDS logs - attached...

DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Clarey at 15:20:25.78 on 25/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.480 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Clarey\LOCALS~1\Temp\Bpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Clarey\Local Settings\Temporary Internet Files\Content.IE5\5CAZYSCD\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en&amp;source=iglk
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100512194842.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [EWABQAF7KL] c:\docume~1\clarey\locals~1\temp\Bpr.exe
uRun: [AdVantage] c:\documents and settings\clarey\application data\advantage\AdVantage.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\clarey\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.67,93.188.161.207
TCP: {00E8CC0B-9FBC-4441-B887-3DD9F380F00B} = 93.188.162.67,93.188.161.207
TCP: {31181E19-FED8-492B-94AA-9FE1C6548ED9} = 93.188.162.67,93.188.161.207
TCP: {C12DA6BB-96CD-439B-A8A8-AA2995CF37E6} = 93.188.162.67,93.188.161.207
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-27 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-30 54776]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-27 4300]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-27 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2009-8-27 31248]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-8-27 14336]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-27 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-27 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-8-27 238464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-27 40552]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2009-8-27 1448080]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

=============== Created Last 30 ================

2010-07-24 22:05:29 0 d-----w- C:\spoolerlogs
2010-07-09 11:47:07 175104 ----a-w- c:\windows\Bhohub.exe
2010-07-08 19:39:03 0 d-----w- c:\docume~1\clarey\applic~1\advantage
2010-07-08 19:17:50 175104 ----a-w- c:\windows\Bhohua.exe
2010-07-01 06:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-07-01 06:13:25 0 d-----w- c:\program files\Room on the Broom

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-12-25 15:32:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-27 18:26:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 05:38:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat

============= FINISH: 15:22:32.70 ===============

DDS Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/12/2009 05:41:46
System Uptime: 25/07/2010 15:10:36 (0 hours ago)

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 56.337 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 69.28 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 09/07/2010 12:46:05 - System Checkpoint
RP2: 14/07/2010 20:55:37 - System Checkpoint
RP3: 22/07/2010 22:36:56 - System Checkpoint
RP4: 25/07/2010 00:12:00 - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros WLAN Client
Bonjour
Easy Display Manager
Easy Network Manager
ERUNT 1.1j
Google Toolbar for Internet Explorer
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Magic Keyboard
Marvell Miniport Driver
McAfee Internet Security
McAfee Online Backup
McAfee Security Scan Plus
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
Nero 8 Essentials
Play Camera
QuickTime
Realtek High Definition Audio Driver
Room on the Broom (remove only)
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
VCRedistSetup
WebCam SCB-1800D
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Media Format Runtime
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

25/07/2010 15:09:36, error: System Error [1003] - Error code 0000004e, parameter1 00000007, parameter2 0001e143, parameter3 00000001, parameter4 00000000.
25/07/2010 01:13:08, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
24/07/2010 23:33:12, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
24/07/2010 23:07:36, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:02, error: Service Control Manager [7034] - The McAfee Online Backup service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Personal Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:57:00, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
24/07/2010 22:56:59, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:56:59, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
24/07/2010 22:56:59, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
22/07/2010 21:57:24, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3 00000001, parameter4 843d5000.
22/07/2010 21:29:28, error: System Error [1003] - Error code 10000050, parameter1 e469a000, parameter2 00000000, parameter3 a801ac3e, parameter4 00000001.
18/07/2010 21:17:05, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

JonTom
2010-07-25, 17:12
Hello Clare Hollands


I've tried to run GMER several times but it's either caused a blue-screen restart, or made the computer stop working.

Lets try this:


GMER


If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
If GMER does not produce a log please try running it from Safe Mode.

How to use the F8 method to Start Your Computer in Safe Mode

Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.

If GMER in safe mode does not work, please try RootRepeal:



RootRepeal


Please download RootRepeal (http://rootrepeal.googlepages.com/RootRepeal.zip) to your desktop.
Physically disconnect your machine from the internet as your system will be unprotected.
Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
Click the Report tab at the bottom and then the Scan button.
A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
Reconnect to the internet.


Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.

Clare Hollands
2010-07-27, 22:32
Thank you - that worked.

I've attached the first half of the GMER log ( second half and Repeal log to follow):

GMER...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-27 19:45:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Clarey\LOCALS~1\Temp\uxtdqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A92 7 Bytes JMP F7517E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 1 Byte [E9]
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 5 Bytes JMP F7517DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80578710 5 Bytes JMP F7517DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A401 5 Bytes JMP F7517E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057A879 7 Bytes JMP F7517E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8057F592 5 Bytes JMP F7517D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8057FCE0 7 Bytes JMP F7517E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80584849 5 Bytes JMP F7517D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 80593435 5 Bytes JMP F7517E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805983A2 7 Bytes JMP F7517DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80599783 7 Bytes JMP F7517DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 805DFB3F 5 Bytes JMP F7517E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655EA2 7 Bytes JMP F7517DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50076
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C5004A
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50F8D
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F3F
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50091
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50EF8
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F09
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50EE7
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FDE
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F66
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50014
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F2E
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4002F
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40F68
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40F83
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30FAB
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FC6
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FD7
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910078
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00910F83
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F94
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910051
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F4D
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910F68
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00910F21
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100BA
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910F10
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910FA5
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00910093
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00910F3C
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900F72
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00900F83
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00900F94
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B0, 88] {MOV AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900FAF
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF002E
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FAD
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FD2
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF001D
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FE3
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[784] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F0011
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0064
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0053
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0F9E
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0086
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0F3E
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F08
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F19
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00B2
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0F83
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0075
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0097
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760F9E
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FB9
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0076002F
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00760014
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760F8D
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710F90
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710FA1
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FD7
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FBC
.text C:\WINDOWS\system32\services.exe[1412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710011
.text C:\WINDOWS\system32\services.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\lsass.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F5E
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F79
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90089
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90078
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900B5
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C9009A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900D0
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F4D
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\lsass.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F1C
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
.text C:\WINDOWS\system32\lsass.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E4004E
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E4003D
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B1002F
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B10014
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B0007F
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00F8A
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00058
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00047
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B000B0
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F68
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F32
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000CB
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F21
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00FA5
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F79
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F57
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F8D
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0014
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30FA1
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FD7
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FB2
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30011
.text C:\WINDOWS\system32\svchost.exe[1592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F52
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F63
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F74
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A4003D
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FB6
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F26
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40087
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40EEE
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40ED3
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40F9B
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F41
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40EFF
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!

Clare Hollands
2010-07-27, 22:33
Second half of GMER log below; Repeal log to follow...

RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70FBE
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70049
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70038
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FD9
.text C:\WINDOWS\system32\svchost.exe[1652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A7001D
.text C:\WINDOWS\system32\svchost.exe[1652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03D70FE5
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03D70011
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03D70000
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03D60000
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03D6006E
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03D60053
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03D60F79
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03D60F94
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03D60FC0
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03D60F37
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03D60F48
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03D60EF0
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03D60F0B
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03D60EDF
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03D60FA5
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03D60FE5
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03D6007F
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03D6002C
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03D6001B
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03D60F1C
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04E10025
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04E10F9E
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04E10FD4
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04E10FEF
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04E10FAF
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04E10000
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04E10051
.text C:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04E10040
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04E00038
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!system 77C293C7 5 Bytes JMP 04E00027
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04E00FD2
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04E00000
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04E00FC1
.text C:\WINDOWS\System32\svchost.exe[1692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04E00FE3
.text C:\WINDOWS\System32\svchost.exe[1692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03D90FEF
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03D80FEF
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03D80FDE
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03D80FC3
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03D80014
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50058
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50F6F
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A50F1A
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F2B
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A50EDD
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50EEE
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50EC2
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F48
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50FAF
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A50EFF
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FA5
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90033
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FC0
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F80
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A90022
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90011
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80049
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80038
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8001D
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A8000C
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A80FC8
.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01060FC3
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01060FDE
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050F63
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01050F74
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0105004E
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050F91
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01050FB6
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01050F26
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050F37
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01050EF0
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01050F0B
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01050ED5
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0105003D
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01050F48
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01050022
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01050011
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0105007F
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0109002C
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01090FAC
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090FDB
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01090069
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090058
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0109003D
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01080027
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!system 77C293C7 5 Bytes JMP 01080F9C
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01080FD2
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01080FB7
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01080FE3
.text C:\WINDOWS\system32\svchost.exe[1888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01070FE5
.text C:\WINDOWS\System32\svchost.exe[1904] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00830FE5
.text C:\WINDOWS\System32\svchost.exe[1904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00830FD4
.text C:\WINDOWS\System32\svchost.exe[1904] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0083000A
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00820000
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00820F86
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00820F97
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00820FA8
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0082005B
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0082004A
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008200B8
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008200A7
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00820F30
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008200D3
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00820F15
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00820FC3
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00820FEF
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00820096
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00820FD4
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0082001B
.text C:\WINDOWS\System32\svchost.exe[1904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00820F55
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810036
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810FA5
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0081001B
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00810FEF
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810062
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810000
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00810FC0
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 88]
.text C:\WINDOWS\System32\svchost.exe[1904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810051
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0085002E
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!system 77C293C7 5 Bytes JMP 0085001D
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00850FC1
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00850FEF
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0085000C
.text C:\WINDOWS\System32\svchost.exe[1904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00850FD2
.text C:\WINDOWS\System32\svchost.exe[1904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\wuauclt.exe[2108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02920000
.text C:\WINDOWS\system32\wuauclt.exe[2108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02920FDB
.text C:\WINDOWS\system32\wuauclt.exe[2108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02920011
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0291000A
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02910FC3
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 029100AE
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02910FD4
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02910091
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02910051
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0291010B
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 029100FA
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02910141
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02910FA8
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02910F97
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0291006C
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0291001B
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 029100D3
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02910040
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02910FEF
.text C:\WINDOWS\system32\wuauclt.exe[2108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02910126
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 028F0038
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!system 77C293C7 5 Bytes JMP 028F0FAD
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 028F000C
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 028F0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 028F0027
.text C:\WINDOWS\system32\wuauclt.exe[2108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 028F0FD2
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02900F9E
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02900F43
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02900FAF
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02900FD4
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02900F5E
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02900FEF
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02900F79
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B0, 8A] {MOV AL, 0x8a}
.text C:\WINDOWS\system32\wuauclt.exe[2108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02900000
.text C:\WINDOWS\system32\wuauclt.exe[2108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028E0000
.text C:\Program Files\Messenger\msmsgs.exe[2668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[2668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50025
.text C:\Program Files\Messenger\msmsgs.exe[2668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F5000A
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F8D
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F9E
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F4006C
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FAF
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FCA
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F72
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F400AE
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F46
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F57
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40104
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40051
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FDB
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4009D
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40036
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4001B
.text C:\Program Files\Messenger\msmsgs.exe[2668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400D5
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FA3
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2002E
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001D
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FBE
.text C:\Program Files\Messenger\msmsgs.exe[2668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FE3
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FE5
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3007D
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30036
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30025
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30FC0
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F3000A
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30058
.text C:\Program Files\Messenger\msmsgs.exe[2668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30047
.text C:\Program Files\Messenger\msmsgs.exe[2668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\Program Files\Messenger\msmsgs.exe[2668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EA000A
.text C:\Program Files\Messenger\msmsgs.exe[2668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EA001B
.text C:\Program Files\Messenger\msmsgs.exe[2668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EA0FE5
.text C:\Program Files\Messenger\msmsgs.exe[2668] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\System32\svchost.exe[3932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[3932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F8002C
.text C:\WINDOWS\System32\svchost.exe[3932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F80011
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F5E
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70053
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F79
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F8A
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F7008B
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F7007A
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700B0
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F17
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F700CB
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70036
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F43
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70025
.text C:\WINDOWS\System32\svchost.exe[3932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F32
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FCA
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60F94
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60025
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FAF
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60047
.text C:\WINDOWS\System32\svchost.exe[3932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60036
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50F70
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50F95
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FC1
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FE3
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FA6
.text C:\WINDOWS\System32\svchost.exe[3932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FD2
.text C:\WINDOWS\System32\svchost.exe[3932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\explorer.exe[3940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05C60000
.text C:\WINDOWS\explorer.exe[3940] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05C60025
.text C:\WINDOWS\explorer.exe[3940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05C60FEF
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05BF0FEF
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05BF0040
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05BF0F4B
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05BF002F
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05BF0F72
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05BF0014
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05BF0EF8
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05BF0F1F
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05BF0EC2
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05BF0065
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05BF0EB1
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05BF0F8D
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05BF0FD4
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05BF0F3A
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05BF0FB2
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05BF0FC3
.text C:\WINDOWS\explorer.exe[3940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05BF0EE7
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05BE0025
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05BE0051
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05BE0FCA
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05BE0FE5
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05BE0F94
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05BE0000
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05BE0036
.text C:\WINDOWS\explorer.exe[3940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05BE0FAF
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05BD0F95
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!system 77C293C7 5 Bytes JMP 05BD0FA6
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05BD0FC1
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05BD0FEF
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05BD000C
.text C:\WINDOWS\explorer.exe[3940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05BD0FD2
.text C:\WINDOWS\explorer.exe[3940] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0549000A
.text C:\WINDOWS\explorer.exe[3940] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0549001B
.text C:\WINDOWS\explorer.exe[3940] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05490FEF
.text C:\WINDOWS\explorer.exe[3940] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 05490FD4
.text C:\WINDOWS\explorer.exe[3940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05BB0000

---- EOF - GMER 1.0.15 ----

Clare Hollands
2010-07-27, 22:35
Repeal log below:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/07/27 20:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9ECB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B13000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B3B000 Size: 7936 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA9B56000 Size: 180608 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF73FA000 Size: 105344 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7441000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA89F8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAA1CA000 Size: 361600 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Room on the Broom\ROTB.exe:{F9364501-CA4D-C91C-3948-138A323A96E2}
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\temp\perflib_perfdata_4f0.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_504.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_2d8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_538.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_624.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

==EOF==

JonTom
2010-07-28, 00:51
Hello Clare Hollands

Thank you for the logs.

Please work your way through the following steps. If you encounter any difficulties just come back and let me know:


Download Combofix and RE-NAME it BEFORE saving


Download Combofix from either of the links below. You must rename it to clare.exe before saving it.
Save it to your desktop. Change the "save as file type" to "all files".
Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.



If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab
Set to "Always ask me where to Save the files".



Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)




Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.



NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.




Double click on the renamed ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

Clare Hollands
2010-07-28, 18:41
Hi; Combofix downloaded and run as requested.

Log shown below:

ComboFix 10-07-27.05 - Clarey 28/07/2010 17:17:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.233 [GMT 1:00]
Running from: c:\documents and settings\Clarey\Desktop\Clare.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Clarey\Application Data\00ffefde.exe
c:\documents and settings\Clarey\Application Data\advantage
c:\documents and settings\Clarey\Application Data\advantage\AdVantage.exe
c:\windows\Bhohua.exe
c:\windows\Bhohub.exe
c:\windows\SEC
c:\windows\SEC\DelMt.cmd
c:\windows\SEC\JRE150.exe
c:\windows\SEC\Marker.exe
c:\windows\SEC\MEMIO.sys
c:\windows\SEC\MEMIO.vxd
c:\windows\SEC\MP10ENG.exe
c:\windows\SEC\Region.vbs
c:\windows\SEC\SECINSTALL.EXE
c:\windows\SEC\SECINSTALL.INI
c:\windows\SEC\StartMem.exe
c:\windows\system32\Spool\prtprocs\w32x86\SKUO5.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-27 19:58 . 2010-07-27 19:58 -------- d-----w- C:\Rootrepeal
2010-07-24 22:05 . 2010-07-24 22:05 -------- d-----w- C:\spoolerlogs
2010-07-01 06:13 . 2010-07-01 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-07-01 06:13 . 2010-07-01 06:13 -------- d-----w- c:\program files\Room on the Broom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 18:23 . 2010-01-07 23:19 -------- d-----w- c:\documents and settings\Clarey\Application Data\Apple Computer
2010-06-10 18:44 . 2010-01-07 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 10:41 . 2009-08-27 02:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2009-08-27 02:50 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-07-10 09:23 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-27 39408]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2010-04-20 300912]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-07-10 2049320]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-07-10 1083176]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Clarey\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/03/2010 20:35 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [30/03/2010 20:38 54776]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [27/08/2009 18:52 4300]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/03/2010 20:35 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/03/2010 20:35 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/03/2010 20:35 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/03/2010 20:35 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [05/02/2010 21:14 229688]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [10/07/2008 10:23 53032]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [27/08/2009 18:56 31248]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [27/08/2009 03:50 14336]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/03/2010 20:35 55456]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 03:01 30208]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/03/2010 20:35 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/03/2010 20:35 88480]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [27/08/2009 22:32 238464]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [27/08/2009 19:14 93320]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/03/2010 20:35 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/03/2010 20:35 83496]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [27/08/2009 18:56 1448080]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [01/08/2006 23:57 19840]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-08-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-27 12:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-27 12:22]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{B0DD52E4-7FF6-4869-8F7B-1E9770EFFBBA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&amp;source=iglk
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdVantage - c:\documents and settings\Clarey\Application Data\advantage\AdVantage.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-28 17:28:08
ComboFix-quarantined-files.txt 2010-07-28 16:28

Pre-Run: 60,385,955,840 bytes free
Post-Run: 60,442,320,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CC3BC1F4A4743125F25696E7B2D16E51

JonTom
2010-07-29, 10:29
Hello Clare Hollands

Thank you for the log.

Please work your way through the following steps:


Clean out your temporary files


Please download ATF Cleaner by Atribune by clicking here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save the file (called ATF-Cleaner.exe) to your desktop.
Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
Check the boxes to the left of the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional. If you want to remove everything check the "Select All" box.
Click on "Empty Selected" to begin cleaning.
Once the "Done Cleaning" message appears, click OK.
If you use Firefox, Click on the Firefox tab and repeat the above process.
When you have finished cleaning, click on the "Exit" button in the main menu.



Please perform the following scan:


Please download MalwareBytes AntiMalware by clicking here (http://www.besttechie.net/tools/mbam-setup.exe) and save the file (called mbam-setup.exe) to your desktop.

Double click on the mbam-setup.exe icon to install the program.
Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.


If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" < Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.



Please update your Java


To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
In the window that opens, click on the "Update" tab, and then on "Update Now".
Your Java should begin to update. Please follow any prompts that you receive.



Please perform the following scan:


This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.


It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
DO NOT surf the net while your resident protection is disabled!
Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.


Please perform a Kaspersky Online Scan of your computer by clicking here (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1240137288999) or here (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html).


Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run (at times it may appear to stall).
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report. To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
If you need help performing the above steps, an animated tutorial can be found here. (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)


Please post the MBAM log and the kaspersky Online Scan log in your next reply.

Also, please describe how your machine is behaving now. Are you still experiencing problems?

JonTom
2010-08-02, 09:16
Are you still with me?

JonTom
2010-08-04, 08:44
Due to inactivity, this topic has been closed.

If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).

Everyone else please start a new topic.