PDA

View Full Version : Brower issues - new browser windows to ads, google search results redirected



Rhawn
2009-12-08, 17:13
I got hit with something on my fresh install of XP while downloading 'free' vector files, for designing. I hadn't gotten around to putting S & D on my pc yet, sure enough. At first the issue was a fake Anti Virus program, and man was it brutal, wouldn't let me run anything, task manager, nothing.

So I installed S & D, cleaned it, and it found a couple things, cleaned. Did the immunization too, naturally.

The problem I am still having is I am getting random new browser windows, and they all go to affiliate landing pages. Google cash, colon cleanse, Sattelite TV, etc. And my google searches get redirected when I click on a result. I use the Comcast MacAfee virus scan, which finds nothing on my system. S & D is clean.

Thank in advance! :rockon:

I have followed the instructions at the top of the forum, did a reg back up and ran HijackThis to get a log.

Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:01 AM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
d:\program files\pandora\pandora.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ERUNT\ERUNT.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [RocketDock] "D:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.3.lnk = D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 9820 bytes

Shaba
2009-12-11, 10:58
Hi Rhawn

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..

Rhawn
2009-12-12, 02:11
Hi Shaba! Thank you so much for responding. I followed the directions and below is the log you requested. Thanks again!

I'm going to have to break it up in sections, as its too long for 1 post.

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-11 18:58:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rhawn\LOCALS~1\Temp\axddrpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8E4D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8E4D821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8E4D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8E4D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8E4D835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8E4D861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA8E4D8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA8E4D8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8E4D7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA8E4D8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8E4D80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8E4D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8E4D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8E4D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA8E4D937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA8E4D8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA8E4D88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8E4D84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA8E4D923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA8E4D90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8E4D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8E4D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8E4D877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8E4D7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA8E4D8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8E4D7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8E4D7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

Rhawn
2009-12-12, 02:13
---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8E4D7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8E4D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A8E4D7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A8E4D7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A8E4D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A8E4D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A8E4D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A8E4D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A8E4D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A8E4D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A8E4D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A8E4D7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A8E4D891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A8E4D87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A8E4D8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A8E4D8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A8E4D84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A8E4D825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A8E4D839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A8E4D865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A8E4D8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A8E4D8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A8E4D811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A8E4D93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A8E4D913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A8E4D927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A8E4D8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB61C2380, 0x3DF545, 0xE8000020]

Rhawn
2009-12-12, 02:13
Part 3

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01440FEF
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0144005B
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01440F70
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01440F8D
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0144004A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01440FB9
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01440F2E
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01440076
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014400BD
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014400AC
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014400D8
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01440F9E
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0144000A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01440F4B
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01440FD4
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0144001B
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01440091
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01430FB2
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01430F6B
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01430FC3
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01430FD4
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01430F86
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01430FEF
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01430F97
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 89]
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01430014
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0142004C
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 01420FB7
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01420FD2
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01420000
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01420027
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01420FE3
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0112008C
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01120F8D
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01120067
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0112004A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01120F9E
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011200CB
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011200AE
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01120F68
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01120101
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01120F57
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0112002F
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01120FE5
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0112009D
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01120FAF
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01120FC0
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!WinExec 7C86250D 3 Bytes JMP 011200DC
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!WinExec + 4 7C862511 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01110FD1
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01110F6F
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01110022
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01110011
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01110F80
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01110F9B
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [31, 89]
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01110FB6
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0110007A
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 0110005F
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01100029
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0110000C
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01100044
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01100FEF
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 010E0FCA
.text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 010E0FAF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90080
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F8B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F9006F
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90054
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FC3
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F53
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F9009B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900E2
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900D1
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90F38
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90FB2
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90F70
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FD4
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F900AC
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80022
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80051
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\svchost.exe[944] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70064
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70049
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F7001D
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70038
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FE3
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F30014
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090073
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F7E
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090058
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090047
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0109002C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090F46
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090F63
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090EEB
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F10
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01090ED0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090FA5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0109008E
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090FC0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01090F2B
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01080FC0
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080F91
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01080011
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01080FDB
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01080058
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01080047
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0108002C
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01070FAD
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070042
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0107001D
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01070FC8
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0107000C
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01050FB9
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060FEF
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 030A0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 030A0093
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 030A0082
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 030A0FA8
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 030A0FB9
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 030A005B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 030A0F72
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 030A0F83
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030A0F32
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030A00D5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030A00E6
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 030A0FD4
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 030A001B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 030A00A4
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 030A0036
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 030A0FE5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 030A0F61
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03090FD4
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0309006C
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03090FE5
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0309001B
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0309005B
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03090000
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0309004A
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03090FC3
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03080033
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 03080FA8
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03080FCD
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03080FEF
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03080022
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03080FDE
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 03060FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 03060FDE
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 03060FC3
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 03060014
.text C:\WINDOWS\System32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03070FEF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0078
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0F83
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0F94
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0FA5
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD0051
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0089
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0F41
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD00BF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD00AE
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD0F0B
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD0011
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F68
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD0036
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0F30
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC004A
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0F83
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0FA8
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0FB9
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB004C
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FB7
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FD2
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0027
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A90025
.text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F66
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD005B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F81
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD00AC
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0091
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00D1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F38
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD00E2
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0FAF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0076
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD001B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F49
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C8002F
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C7005F
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70029
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C7000C
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70044
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A9000A
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A90098
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A90FAD
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A90FCA
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A90087
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A90051
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A900B5
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A90F6D
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A900EB
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A900D0
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A90106
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A9006C
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A9001B
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A90F7E
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A90040
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A90FEF
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A90F5C
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A8000A
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A80040
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A80FC3
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A80FD4
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A80025
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A80FEF
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A80F83
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 89]
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A80F9E
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0184005D
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 01840042
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01840FE3
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01840000
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01840FD2
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0184001D
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00EF0000
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00EF0011
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00EF002C
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00EF0FDB
.text C:\WINDOWS\Explorer.EXE[1816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01420FEF
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F70
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0065
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0054
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0039
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF001E
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F27
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F4E
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F02
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF009B
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00B6
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F5F
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FB2
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF008A
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0068002F
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0068008A
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00680FC3
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00680065
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680054
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0067005F
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!system 77C293C7 5 Bytes JMP 0067004E
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0067003D
.text C:\WINDOWS\system32\svchost.exe[2000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670018
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660000
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C000A
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F97
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C008C
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FB2
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00B1
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F69
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F3D
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00D6
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F22
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C005B
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F86
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0040
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\System32\svchost.exe[2404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F4E
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F68
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B001B
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F79
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F94
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\System32\svchost.exe[2404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0040002E
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!system 77C293C7 5 Bytes JMP 0040001D
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00400FC8
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00400000
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00400FB7
.text C:\WINDOWS\System32\svchost.exe[2404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00400FEF
.text C:\WINDOWS\System32\svchost.exe[2404] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[2404] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00710FD4
.text C:\WINDOWS\System32\svchost.exe[2404] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00710FC3
.text C:\WINDOWS\System32\svchost.exe[2404] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00710FA8
.text C:\WINDOWS\System32\svchost.exe[2404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50082
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F8D
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F9E
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D5009D
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F61
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500C2
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F1F
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50F0E
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F7C
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\svchost.exe[2424] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F3A
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0062
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0051
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C0036
.text C:\WINDOWS\system32\svchost.exe[2424] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0025
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0031
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0020
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FC1
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FB0
.text C:\WINDOWS\system32\svchost.exe[2424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\system32\svchost.exe[2424] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 006A0000
.text C:\WINDOWS\system32\svchost.exe[2424] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[2424] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 006A001B
.text C:\WINDOWS\system32\svchost.exe[2424] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 006A002C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89CF4618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Shaba
2009-12-12, 15:51
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Rhawn
2009-12-13, 17:29
Hello Shaba, Thanks again for your help.

I am having a hard time locating the Combofix download. There are two links provided on the page you linked.

The first link from BleepingComputer goes to a 404

The second link is to another forum called Forospyware, which is in a latin based language. I translated the page but still could not find a link for Combofix.

I did a google search, but the results were somewhat sketchy. Please let me know if there is another safe place to download it.

Thanks!

Shaba
2009-12-13, 18:00
Well currently there is none as it has been pulled temporarily.

Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download at your desktop DDS from one of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove DDS from your desktop.


Post:

- mbam log
- dds logs

Rhawn
2009-12-13, 18:44
Malware Log:

Malwarebytes' Anti-Malware 1.42
Database version: 3353
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/13/2009 11:34:54 AM
mbam-log-2009-12-13 (11-34-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 298812
Time elapsed: 27 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rhawn at 11:40:46.60 on Sun 12/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1371 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
D:\Program Files\Pandora\Pandora.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rhawn\My Documents\dds.scr

============== Pseudo HJT Report ===============

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] d:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [RocketDock] "d:\program files\rocketdock\RocketDock.exe"
uRun: [PlayNC Launcher]
uRun: [Steam] "d:\program files\steam\Steam.exe" -silent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "d:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rhawn\startm~1\programs\startup\pandora.lnk - d:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - d:\program files\pixela\imagemixer 3 se ver.3\CameraMonitor.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rhawn\applic~1\mozilla\firefox\profiles\rj1fih81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\rhawn\application data\mozilla\firefox\profiles\rj1fih81.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: d:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-3-23 13696]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-27 12672]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-6-17 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-7 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-7 35272]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\logmein\x86\rainfo.sys --> d:\program files\logmein\x86\RaInfo.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-9 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-7 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-7 40552]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-7 606736]

=============== Created Last 30 ================

2009-12-13 16:05:43 0 d-----w- c:\docume~1\rhawn\applic~1\Malwarebytes
2009-12-13 16:05:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 16:05:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-13 16:05:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 16:05:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 20:54:18 0 d-----w- c:\program files\GMER
2009-12-08 15:06:08 0 d-----w- c:\program files\Trend Micro
2009-12-01 18:03:48 146 ----a-w- c:\windows\wininit.ini
2009-12-01 17:00:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-29 15:08:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Digsby
2009-11-29 04:50:51 0 d-----w- c:\docume~1\rhawn\applic~1\Digsby
2009-11-27 00:51:02 0 d-----w- c:\program files\BAP7
2009-11-26 02:25:29 0 d-----w- c:\program files\BAP6
2009-11-21 00:48:56 0 d-----w- c:\program files\BAP5
2009-11-19 18:53:46 0 d-----w- c:\program files\BAP4
2009-11-14 03:19:55 0 d-----w- c:\program files\BAP3

==================== Find3M ====================

2009-12-11 13:40:34 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-23 23:57:48 30996 ----a-w- c:\windows\fonts\Harabara.ttf

============= FINISH: 11:42:12.45 ===============


Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/23/2009 4:18:54 PM
System Uptime: 12/13/2009 11:35:30 AM (0 hours ago)

Motherboard: BIOSTAR Group | | NF61S-M2B
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | Socket M2 | 2411/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 44 GiB total, 30.15 GiB free.
D: is FIXED (NTFS) - 96 GiB total, 11.88 GiB free.
E: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP272: 11/16/2009 5:02:54 PM - System Checkpoint
RP273: 11/17/2009 5:15:18 PM - System Checkpoint
RP274: 11/18/2009 5:59:23 PM - System Checkpoint
RP275: 11/19/2009 7:27:57 PM - System Checkpoint
RP276: 11/21/2009 11:35:47 AM - System Checkpoint
RP277: 11/22/2009 12:24:21 PM - System Checkpoint
RP278: 11/23/2009 12:25:26 PM - System Checkpoint
RP279: 11/24/2009 12:35:42 PM - System Checkpoint
RP280: 11/24/2009 11:49:45 PM - Software Distribution Service 3.0
RP281: 11/26/2009 11:01:43 AM - System Checkpoint
RP282: 11/27/2009 9:54:10 PM - System Checkpoint
RP283: 11/28/2009 10:45:02 PM - System Checkpoint
RP284: 11/30/2009 12:38:09 AM - System Checkpoint
RP285: 12/1/2009 12:40:06 AM - System Checkpoint
RP286: 12/2/2009 3:05:01 PM - System Checkpoint
RP287: 12/3/2009 4:20:04 PM - System Checkpoint
RP288: 12/4/2009 5:25:25 PM - System Checkpoint
RP289: 12/6/2009 11:27:45 PM - System Checkpoint
RP290: 12/7/2009 4:29:24 PM - Removed Data Lifeguard Diagnostic for Windows
RP291: 12/8/2009 6:54:36 PM - System Checkpoint
RP292: 12/9/2009 7:47:59 PM - System Checkpoint
RP293: 12/10/2009 12:51:21 AM - Software Distribution Service 3.0
RP294: 12/11/2009 1:16:06 AM - System Checkpoint
RP295: 12/12/2009 10:54:33 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9.1
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Aion
BlackBerry Desktop Software 5.0
Buddy Adder Pro
Bulk Rename Utility 2.7.1.1
Call of Duty: Modern Warfare 2
Call of Duty: Modern Warfare 2 - Multiplayer
Canon Camera Access Library
Canon Camera Support Core Library
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
CPUID CPU-Z 1.52.2
Critical Update for Windows Media Player 11 (KB959772)
Digsby
Download Manager 2.3.8
Dual-Core Optimizer
Easy Adder 3.43
ERUNT 1.1j
FileZilla Client 3.2.7.1
FriendBlasterPro
Google AdWords Editor
Google Desktop
Google Talk (remove only)
Half-Life 2: Episode Two
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Image Resizer Powertoy for Windows XP
ImageMixer 3 SE Ver.3
Left 4 Dead
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
NCsoft Launcher
Nero 8
neroxml
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nView Desktop Manager
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
Pandora
PDF Settings
QuickTime
Realtek High Definition Audio Driver
RocketDock 1.3.5
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype web features
Skype™ 4.1
Spybot - Search & Destroy
Steam
Team Fortress 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
Ventrilo Client
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinSCP 4.2.4 beta
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/7/2009 11:27:09 PM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.
12/7/2009 11:27:08 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
12/7/2009 11:27:08 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
12/10/2009 3:07:17 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.

==== End Of File ===========================

Shaba
2009-12-14, 07:15
Then it means that we need to replace one file manually.

Do you have windows CD handy?

Rhawn
2009-12-14, 17:12
Yes I do.

Shaba
2009-12-15, 08:50
Then please install recovery console as described here (http://support.microsoft.com/kb/307654) and we will continue :)

Rhawn
2009-12-15, 20:13
I had to slipstream SP3 into a boot disc to get this installed, but its done. Ready to proceed.

Shaba
2009-12-16, 11:34
Good :)

Please do a search for atapi.sys from both hard drive and CD and let me know any hits.

Rhawn
2009-12-16, 18:07
2 Hits on the C: Drive

c:\WINDOWS\ServicePackFiles\i386
c:\WINDOWS\system32\drivers

0 Hits in the Install CD

Shaba
2009-12-17, 17:02
Then please scan those files here:

http://virusscan.jotti.org and post back results

Rhawn
2009-12-18, 17:43
c:\WINDOWS\ServicePackFiles\i386
Filename: atapi.sys
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 17 Dec 2009 16:55:41 (CET) Permalink

c:\WINDOWS\system32\drivers
Filename: atapi.sys
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 17 Dec 2009 16:55:41 (CET) Permalink

Shaba
2009-12-19, 17:08
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd ServicePackFiles\i386

6. At the next prompt, type the following bolded text, and press Enter:

copy atapi.sys c:\WINDOWS\system32\drivers /y

7. At the next prompt, type the following bolded text, and press Enter:

exit

Reboot to windows, rerun gmer and post back a fresh gmer log.

Rhawn
2009-12-20, 05:15
Done!

GMER log below....

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-19 22:13:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rhawn\LOCALS~1\Temp\axddrpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB410578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB4105738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB410574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB41057CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB4105710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB4105724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB410579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB4105776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB4105762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB41057F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB41057E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB41057B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B41057B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C51380, 0x3DF545, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F3C
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F57
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0025
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F72
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC005D
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC004C
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC009A
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0089
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00AB
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0F8D
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F21
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0F9E
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC006E
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0084
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FDB
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0073
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DB0062
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB0047
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F7F
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0F9A
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FC6
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FAB
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC008C
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F9E
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC00CE
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC00A7
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00E9
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F5A
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F3F
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F7C
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0F6B
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB0076
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB005B
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB004A
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0FCD
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA004E
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA000C
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FDE
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA001D
.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC00C9
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC00AE
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0091
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0080
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC010B
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0137
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0126
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F8D
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00E4
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0FA8
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0076
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA004E
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0029
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02480F63
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02480058
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02480F8A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02480047
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02480011
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02480F37
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02480F48
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024800BF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02480F1C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02480F0B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02480036
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02480FCA
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02480073
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02480000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02480FB9
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024800A4
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02470FC3
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02470F61
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0247000A
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02470FDE
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02470F7C
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02470FEF
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02470F8D
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [67, 8A]
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02470FA8
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0246003D
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 02460FB2
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02460022
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02460000
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02460FC3
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02460011
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02450000
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80091
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F92
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80076
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800BD
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F75
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800D8
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F35
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800E9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C800AC
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F50
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F83
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70F9E
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60077
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60066
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C6003A
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60055
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6001D
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 042D0000
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 042D005B
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 042D0F66
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 042D004A
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 042D0F8D
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 042D0FAF
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 042D0F13
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 042D0F3A
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 042D0EEE
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 042D0087
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 042D00A2
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 042D0F9E
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 042D0011
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 042D0F4B
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 042D0FCA
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 042D0FDB
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 042D0076
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 042C0FCA
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 042C0051
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 042C0FE5
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 042C001B
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 042C0F94
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 042C0000
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 042C0036
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 042C0FAF
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 042B0064
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 042B0FE3
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 042B0038
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 042B0000
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 042B0049
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 042B001D
.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 042A0FEF
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 04290FEF
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 04290014
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 04290025
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 04290040
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0098
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F99
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B007D
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0051
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F6B
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B00B3
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F5A
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00E9
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0118
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F88
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0040
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0025
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00D8
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A002C
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0FB6
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A007D
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A0062
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0047
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FC6
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FD7
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790011
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50F97
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50082
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500B3
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F6B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C500E9
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C500D8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50104
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F7C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F5A
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40047
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40084
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4002C
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40073
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C40062
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30FD2
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30053
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3001D
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30042
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3000C
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F41
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0036
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0F68
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0F79
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D000A
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F0B
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D0051
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D0089
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D0EF0
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027D00A4
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027D0025
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027D0F26
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027D0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027D0078
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027B0058
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 027B003D
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027B0022
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027B0000
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027B0011
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027C0025
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027C0F83
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027C000A
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027C0040
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027A0FEF
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0093
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00B5
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F6D
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F12
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F37
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00D0
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F48
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F76
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930033
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F91
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930022
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FCA
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920055
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092003A
.text C:\WINDOWS\system32\svchost.exe[1552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920029
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0091
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F9C
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0076
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0065
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F64
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0F75
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F2E
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F49
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F1D
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0040
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0011
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF00AC
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\Explorer.EXE[2408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00C7
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0025
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0F86
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0F97
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FA8
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\Explorer.EXE[2408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD004E
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FDE
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0033
.text C:\WINDOWS\Explorer.EXE[2408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[2408] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CB0000
.text C:\WINDOWS\Explorer.EXE[2408] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\Explorer.EXE[2408] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\Explorer.EXE[2408] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CB0FA5
.text C:\WINDOWS\Explorer.EXE[2408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F70
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F49
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0091
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F2E
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00BD
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E2
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A004A
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0080
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00AC
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F94
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FAF
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E003D
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FBC
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E002C
.text C:\WINDOWS\System32\svchost.exe[3856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FD7
.text C:\WINDOWS\System32\svchost.exe[3856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Shaba
2009-12-20, 15:34
Looks good :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Rhawn
2009-12-21, 02:47
The Kaspersky log was empty as the scan was clean.

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:17 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
D:\Program Files\Pandora\Pandora.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\Digsby\lib\digsby-app.exe
D:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [RocketDock] "D:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.3.lnk = D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 10252 bytes

Rhawn
2009-12-21, 05:17
The Kas log wasnt empty, but it was clean.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, December 20, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, December 20, 2009 15:40:21
Records in database: 3392793
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 198102
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:01:40

No threats found. Scanned area is clean.

Selected area has been scanned.

Shaba
2009-12-21, 07:37
Looks good :)

Still problems?

Rhawn
2009-12-21, 18:01
I'm not sure which step did the trick, but nope, no more issues! Thank you so much!

I would like to ask about what I should be using going forward on top of my McAfee AV and Spybot.

Do I need to change all my passwords as well?

Shaba
2009-12-21, 20:29
Replacing infected atapi.sys with clean copy did :)

No need.

I will give you final instructions along with suggestions unless you have some issues left?

Rhawn
2009-12-22, 00:08
I think I am all set.

Shaba
2009-12-22, 20:23
Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

Shaba
2010-01-01, 16:51
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.