View Full Version : Click.giftload
neo_celes
2011-03-28, 00:51
Hi,
Recently, I've been redirected from google search results to ad sites. I've had Spybot search and find click.giftload multiple times. It's been fixed only to show up again. I've also run TDSS Killer. It found a rootkit (don't know the name, sorry) that I cured. However, I am still being redirected. Please Help!
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Home at 17:32:35.85 on Sun 03/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1503 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\WINDOWS\system32\astsrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\program files\Mozilla Firefox\firefox.exe
C:\program files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Home\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uLocal Page = about:blank
mDefault_Page_URL = about:blank
mStart Page = about:blank
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103172851.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ehumoda] rundll32.exe "c:\windows\kbd320de.dll",Startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\p0i1h51t.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {9A86C98D-ACE7-403A-BE71-45D5425B4F3C} - c:\documents and settings\home\local settings\application
data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-15 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-15 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-15 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-15 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-15 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-15 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-15 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-15 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-15 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-15 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-15 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-15 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-15 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-14 1684736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-15 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-15 84264]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-03-27 12:31:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-27 12:31:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-26 22:44:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:44:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:44:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 21:50:06 0 ----a-w- c:\windows\Ixareyajofo.bin
2011-03-26 21:50:04 -------- d-----w- c:\docume~1\home\locals~1\applic~1\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}
2011-03-26 21:49:33 -------- d-----w- c:\docume~1\home\applic~1\OfferBox
2011-03-26 21:48:08 149504 --sha-r- c:\windows\system32\wmnetmgr7.dll
2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:33:32.12 ===============
Blottedisk
2011-03-29, 18:02
Hi neo_celes,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select "Run As Administrator" (Vista-W7).
When prompted to run the scan, click Yes.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Step 2 | Please post the contents of the TDSSKiller log. This report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and
paste the contents of that file here.
Step 3 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:
IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).
neo_celes
2011-03-30, 19:40
Hi Blotteddisk, thank you for your time and help.
Here are my log files for GooredFix and TDSSKiller
-----------------------------------------------------------------------
GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:36 on 30/03/2011 (Home)
Firefox version 3.6.16 (en-US)
========== GooredScan ==========
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{FBAFE83E-FFC2-46CD-A6B7-8EFA0F9A6178} -> Success!
Deleting C:\Documents and Settings\Home\Local Settings\Application Data\{FBAFE83E-FFC2-46CD-A6B7-8EFA0F9A6178} -> Success!
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:20 15/10/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [21:35 31/10/2010]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [14:09 05/01/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [13:35 29/03/2011]
C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\p0i1h51t.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:02 31/01/2011]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:39 30/01/2011]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [21:07 20/02/2011]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [20:24 15/10/2010]
"{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}"="C:\Documents and Settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}" [23:02 28/03/2011]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:35 31/10/2010]
-=E.O.F=-
------------------------------------------------------------------------
2011/03/30 10:37:02.0062 2124 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/30 10:37:02.0796 2124 ================================================================================
2011/03/30 10:37:02.0796 2124 SystemInfo:
2011/03/30 10:37:02.0796 2124
2011/03/30 10:37:02.0796 2124 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/30 10:37:02.0796 2124 Product type: Workstation
2011/03/30 10:37:02.0796 2124 ComputerName: FFK1014HZH
2011/03/30 10:37:02.0796 2124 UserName: Home
2011/03/30 10:37:02.0796 2124 Windows directory: C:\WINDOWS
2011/03/30 10:37:02.0796 2124 System windows directory: C:\WINDOWS
2011/03/30 10:37:02.0796 2124 Processor architecture: Intel x86
2011/03/30 10:37:02.0796 2124 Number of processors: 2
2011/03/30 10:37:02.0796 2124 Page size: 0x1000
2011/03/30 10:37:02.0796 2124 Boot type: Normal boot
2011/03/30 10:37:02.0796 2124 ================================================================================
2011/03/30 10:37:03.0515 2124 Initialize success
2011/03/30 10:37:07.0390 2892 ================================================================================
2011/03/30 10:37:07.0390 2892 Scan started
2011/03/30 10:37:07.0390 2892 Mode: Manual;
2011/03/30 10:37:07.0390 2892 ================================================================================
2011/03/30 10:37:09.0156 2892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/30 10:37:09.0359 2892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/30 10:37:09.0531 2892 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
2011/03/30 10:37:09.0750 2892 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/03/30 10:37:09.0937 2892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/30 10:37:10.0093 2892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/30 10:37:10.0187 2892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/30 10:37:10.0328 2892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/30 10:37:10.0406 2892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/30 10:37:10.0578 2892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/30 10:37:10.0953 2892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/30 10:37:11.0031 2892 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/30 10:37:11.0140 2892 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2011/03/30 10:37:11.0312 2892 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/30 10:37:11.0390 2892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/30 10:37:11.0546 2892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/30 10:37:11.0718 2892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/30 10:37:11.0812 2892 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/30 10:37:11.0968 2892 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/30 10:37:12.0187 2892 eaps2kbd (53ce0799c9384cac99942ff032285f21) C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys
2011/03/30 10:37:12.0343 2892 eawdmfd (e54e3a335b3a03ad0252e50bb92a633c) C:\WINDOWS\system32\DRIVERS\eawdmfd.sys
2011/03/30 10:37:12.0437 2892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/30 10:37:12.0625 2892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/30 10:37:12.0796 2892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/30 10:37:12.0968 2892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/30 10:37:13.0187 2892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/30 10:37:13.0359 2892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/30 10:37:13.0546 2892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/30 10:37:13.0718 2892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/30 10:37:13.0890 2892 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/30 10:37:14.0062 2892 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/30 10:37:14.0250 2892 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/30 10:37:14.0421 2892 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/30 10:37:14.0656 2892 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/30 10:37:14.0796 2892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/30 10:37:15.0015 2892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/30 10:37:15.0421 2892 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/03/30 10:37:15.0859 2892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/30 10:37:16.0234 2892 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/30 10:37:16.0578 2892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/30 10:37:16.0625 2892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/30 10:37:16.0750 2892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/30 10:37:16.0796 2892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/30 10:37:16.0906 2892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/30 10:37:16.0984 2892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/30 10:37:17.0218 2892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/30 10:37:17.0437 2892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/30 10:37:17.0609 2892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/30 10:37:17.0781 2892 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/30 10:37:17.0953 2892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/30 10:37:18.0171 2892 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/30 10:37:18.0406 2892 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/03/30 10:37:18.0671 2892 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/03/30 10:37:18.0937 2892 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/03/30 10:37:19.0031 2892 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/03/30 10:37:19.0312 2892 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/03/30 10:37:19.0562 2892 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/03/30 10:37:19.0750 2892 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/03/30 10:37:19.0890 2892 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/03/30 10:37:20.0203 2892 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/03/30 10:37:20.0453 2892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/30 10:37:20.0609 2892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/30 10:37:20.0796 2892 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/03/30 10:37:20.0953 2892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/30 10:37:21.0031 2892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/30 10:37:21.0203 2892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/30 10:37:21.0359 2892 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/30 10:37:21.0750 2892 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/30 10:37:21.0937 2892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/30 10:37:22.0140 2892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/30 10:37:22.0203 2892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/30 10:37:22.0328 2892 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/30 10:37:22.0468 2892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/30 10:37:22.0640 2892 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/30 10:37:22.0687 2892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/30 10:37:22.0859 2892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/30 10:37:23.0015 2892 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/30 10:37:23.0187 2892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/30 10:37:23.0359 2892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/30 10:37:23.0609 2892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/30 10:37:23.0656 2892 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/30 10:37:23.0921 2892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/30 10:37:24.0078 2892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/30 10:37:24.0250 2892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/30 10:37:24.0390 2892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/30 10:37:24.0562 2892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/30 10:37:24.0609 2892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/30 10:37:24.0765 2892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/30 10:37:24.0828 2892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/30 10:37:25.0062 2892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/30 10:37:25.0187 2892 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/30 10:37:25.0265 2892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/30 10:37:25.0296 2892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/30 10:37:25.0468 2892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/30 10:37:25.0500 2892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/30 10:37:25.0656 2892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/30 10:37:25.0828 2892 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/30 10:37:26.0265 2892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/30 10:37:26.0406 2892 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/30 10:37:26.0546 2892 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/30 10:37:26.0875 2892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/30 10:37:27.0062 2892 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/03/30 10:37:27.0421 2892 RTLE8023xp (79b4fe884c18dd82d5449f6b6026d092) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/03/30 10:37:27.0671 2892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/30 10:37:27.0734 2892 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/30 10:37:27.0890 2892 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/30 10:37:28.0078 2892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/30 10:37:28.0171 2892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/30 10:37:28.0343 2892 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/30 10:37:28.0531 2892 Srv (70cd8b8dd2a680b128617c19eb0ab94f) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/30 10:37:28.0718 2892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/30 10:37:28.0875 2892 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/30 10:37:28.0921 2892 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/30 10:37:29.0109 2892 Tcpip (367de8e5f638c091f49273144274f629) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/30 10:37:29.0265 2892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/30 10:37:29.0296 2892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/30 10:37:29.0437 2892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/30 10:37:29.0515 2892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/30 10:37:29.0671 2892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/30 10:37:29.0921 2892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/30 10:37:30.0062 2892 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/30 10:37:30.0140 2892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/30 10:37:30.0296 2892 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/03/30 10:37:30.0578 2892 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/30 10:37:30.0734 2892 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/30 10:37:30.0875 2892 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/30 10:37:31.0031 2892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/30 10:37:31.0218 2892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/30 10:37:31.0375 2892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/30 10:37:31.0421 2892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/30 10:37:31.0609 2892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/30 10:37:31.0828 2892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/30 10:37:31.0968 2892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/30 10:37:32.0171 2892 ================================================================================
2011/03/30 10:37:32.0171 2892 Scan finished
2011/03/30 10:37:32.0171 2892 ================================================================================
2011/03/30 10:37:38.0328 3704 Deinitialize success
neo_celes
2011-03-30, 19:47
Here is the log file for my GMER scan.
---------------------------------------------------------------------------
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-30 12:33:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDS728080PLAT20 rev.PF2OA21B
Running: 7f8h3p5l.exe; Driver: C:\DOCUME~1\Home\LOCALS~1\Temp\fwtoakog.sys
---- System - GMER 1.0.15 ----
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF743E0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF743E0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF743E120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF743E176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF743E0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF743E10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF743E14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF743E136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF743E1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF743E18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF743E160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0014
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC007F
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00C1
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC00B0
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00E6
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0101
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00BC0F5E
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F6B
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0028
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F86
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
.text C:\WINDOWS\system32\svchost.exe[336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA005C
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA004B
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0029
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA000C
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA003A
.text C:\WINDOWS\system32\svchost.exe[336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 024F0FEF
.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 024F0FB9
.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 024F0FCA
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024E0000
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024E0093
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024E0F94
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024E0FA5
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024E0FB6
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024E0058
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024E0F61
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024E0F72
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024E00D8
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024E0F35
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024E00E9
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024E0FD1
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024E0011
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024E0F83
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 024E003D
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 024E0022
.text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 024E0F46
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0265001B
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02650076
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0265000A
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02650FD4
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0265005B
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02650FE5
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02650FB9
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 8A]
.text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02650036
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02640F89
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!system 77C293C7 5 Bytes JMP 02640F9A
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02640FC6
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02640000
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02640FAB
.text C:\WINDOWS\Explorer.EXE[608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02640FE3
.text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenA 3D95D6E0 5 Bytes JMP 02500FEF
.text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenW 3D95DB59 5 Bytes JMP 02500000
.text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenUrlA 3D95F3F4 5 Bytes JMP 02500011
.text C:\WINDOWS\Explorer.EXE[608] WININET.dll!InternetOpenUrlW 3D9A718F 5 Bytes JMP 0250002C
.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0251000A
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F80
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00075
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00058
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00047
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00022
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0009A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F5E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C000D0
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F37
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000EB
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00F9B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F6F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C000B5
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF007D
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9A
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FBC
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FAB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenA 3D95D6E0 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenW 3D95DB59 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 3D95F3F4 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1100] WININET.dll!InternetOpenUrlW 3D9A718F 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040040
.text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006B0F80
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006B0075
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006B0064
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006B0047
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006B0FB6
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006B0F48
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006B0090
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006B0F08
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006B00AB
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006B00BC
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006B0FA5
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006B0011
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006B0F6F
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 006B0FD1
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 006B002C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 006B0F2D
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA6
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB7
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC8
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD009A
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0075
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F59
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F74
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00D7
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F3E
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00E8
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FA5
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00AB
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00FD00BC
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40F83
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FBE
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E3003F
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E3001D
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E3000C
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3002E
.text C:\WINDOWS\system32\lsass.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B30FC3
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B30FDE
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20F4B
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20F66
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20F77
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B20040
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B2006E
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B2005D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B20EFA
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B20093
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B200B8
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B20FA8
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B20F30
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00B20FCA
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00B20F15
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B6004A
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B60F9E
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D6, 88]
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50029
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50018
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0F79
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F8A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0058
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0F9B
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC0F68
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC00B0
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC0F2B
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F3C
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC00DF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC003D
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0089
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00AC0F4D
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F83
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F9E
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC0
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF005F
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0044
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0022
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0033
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F44
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F5F
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F70
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6002F
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60F9E
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F18
neo_celes
2011-03-30, 19:47
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F33
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60EEC
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F07
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60EDB
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60F8D
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60054
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C60085
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C5001E
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50F75
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FCD
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FDE
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F86
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50F97
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0FA8
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0033
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC000C
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01AB0014
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01AB0FDE
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AA0073
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AA0062
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AA0F88
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AA0051
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AA0FC0
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AA0F46
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AA008E
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AA0F10
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AA0F2B
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AA00C4
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AA000A
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AA0F63
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 01AA002C
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 01AA001B
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 01AA00A9
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01990FCA
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01990FA5
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0199001B
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0199000A
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0199006C
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01990FEF
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01990051
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01990040
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01980033
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 01980FB2
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01980011
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01980000
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01980022
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01980FE3
.text C:\WINDOWS\system32\svchost.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01970000
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenA 3D95D6E0 5 Bytes JMP 01960FEF
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenW 3D95DB59 5 Bytes JMP 01960FDE
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlA 3D95F3F4 5 Bytes JMP 01960FC3
.text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlW 3D9A718F 5 Bytes JMP 01960FB2
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02ED0000
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02ED002C
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02ED001B
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E40000
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E4006B
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E40F76
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E40044
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E40033
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E40FAC
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E400A3
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E40F51
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E40F1B
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E400B4
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E40F00
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E40F91
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E40FDB
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E4007C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 01E40022
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 01E40011
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 01E40F40
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F60025
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F60065
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F60FCA
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F60000
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F60040
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F60FE5
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02F60F9E
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 8B]
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F60FB9
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F50070
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F50FE5
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F5003A
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F5000C
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F5004B
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F5001D
.text C:\WINDOWS\System32\svchost.exe[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F00000
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenA 3D95D6E0 5 Bytes JMP 02EF0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenW 3D95DB59 5 Bytes JMP 02EF0000
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 3D95F3F4 5 Bytes JMP 02EF0FC0
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 3D9A718F 5 Bytes JMP 02EF0FAF
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009A0025
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F83
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990F94
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990078
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0099005B
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0099004A
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00990F68
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009900A4
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009900ED
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900DC
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F2F
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990FC3
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00990093
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00990FDE
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00990025
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 009900CB
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0051
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D0011
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0040
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 88]
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0FAF
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009C0069
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!system 77C293C7 5 Bytes JMP 009C004E
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009C0033
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20060
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F61
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F72
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F8D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C2008C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F50
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F0E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200B1
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C200CC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C2007B
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C20F29
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60091
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60080
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E6, 88] {OUT 0x88, AL}
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50066
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50055
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50029
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C5003A
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50018
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[1868] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[1868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00710FDE
.text C:\WINDOWS\System32\svchost.exe[1868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700FEF
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700F55
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F70
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0070004A
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700F97
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700FA8
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00700F0C
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700F1D
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0070006F
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700EE0
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0070008A
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00700039
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00700F3A
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00700FC3
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00700FD4
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!WinExec 7C862AED 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1868] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00700EF1
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F002C
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0F80
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F001B
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0F91
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F003D
.text C:\WINDOWS\System32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FC0
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FBE
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FCF
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0038
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E000C
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0049
.text C:\WINDOWS\System32\svchost.exe[1868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E001D
.text C:\WINDOWS\System32\svchost.exe[1868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00710025
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00710FE5
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700000
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700F59
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F74
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700F9B
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700058
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700047
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00700F21
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700069
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700EE1
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700EF2
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00700EC6
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00700FB6
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00700011
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00700F48
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00700FDB
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00700022
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 0070007A
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0047
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0F94
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F002C
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F001B
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FA5
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006F0FC0
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 88]
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FDB
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0064
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0053
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0027
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0038
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\program files\Mozilla Firefox\firefox.exe[2272] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 004013F0 C:\program files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0140B5B6
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0140C304
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0140BFED
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0140C20E
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0140B4F9
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0140C093
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0140C13D
.text C:\program files\Mozilla Firefox\firefox.exe[2272] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 0140B91A
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 0140C572
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 0140CAAC
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 0140C4A5
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 0140C9C7
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 0140CE63
.text C:\program files\Mozilla Firefox\firefox.exe[2272] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 0140CF2D
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 0140B9F5
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 0140C8DF
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 0140C71B
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 0140C392
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 0140C63F
.text C:\program files\Mozilla Firefox\firefox.exe[2272] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 0140C7F7
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [128] 0x10000000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [608] 0x02B50000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\WINDOWS\VistaDrive\VistaDrive.exe [772] 0x10000000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\Program Files\McAfee.com\Agent\mcagent.exe [792] 0x010F0000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [860] 0x10000000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [932] 0x10000000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [936] 0x00B80000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\program files\HP\Digital Imaging\bin\hpqtra08.exe [984] 0x01810000
Library C:\WINDOWS\ajizikequwamoh.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [3564] 0x00A70000
---- EOF - GMER 1.0.15 ----
Blottedisk
2011-03-30, 21:04
Hi neo_celes,
Please visit the following and have a look how you can disable your security software.
How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )
After disabling your security programs, download Combofix from any of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )
--------------------------------------------------------------------
Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )
neo_celes
2011-03-30, 21:47
Here is the ComboFix log
----------------------------------------------------------------------
ComboFix 11-03-29.06 - Home 03/30/2011 14:32:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1457 [GMT -4:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Home\Application Data\OfferBox
c:\documents and settings\Home\Application Data\OfferBox\config.xml
c:\windows\Fonts\Vn.Fon
c:\windows\kbd320de.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-29 13:35 . 2011-03-29 13:35 -------- d-----w- c:\program files\Common Files\Java
2011-03-28 23:03 . 2011-03-28 23:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-28 23:02 . 2011-03-28 23:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}
2011-03-27 12:31 . 2011-03-27 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-27 12:31 . 2011-03-27 12:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:44 . 2011-03-26 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:05 . 2011-03-26 22:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-26 21:50 . 2011-03-30 13:40 0 ----a-w- c:\windows\Ixareyajofo.bin
2011-03-26 21:48 . 2011-03-26 21:48 149504 --sha-r- c:\windows\system32\wmnetmgr7.dll
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-03 00:56 . 2011-03-30 13:45 -------- d-----w- c:\documents and settings\Home\Application Data\HPAppData
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 05:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 05:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40 . 2010-10-31 21:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2010-10-31 21:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:42 . 2008-04-14 05:00 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2009-09-13 17:53 1864064 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 02:28 . 2010-10-15 20:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
------- Sigcheck -------
.
[-] 2009-09-13 . D2D2AACF1837F465D00CCD93C02816B9 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AdobeAAMUpdater-1.0"="c:\program files\common files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\common files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-09-13 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\common files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\program files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\program files\\Skype\\Phone\\Skype.exe"=
"c:\\program files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56663:TCP"= 56663:TCP:Pando Media Booster
"56663:UDP"= 56663:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/15/2010 4:23 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\Mcafee\SystemCore\mfefire.exe [10/15/2010 4:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/15/2010 4:23 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/15/2010 4:23 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/15/2010 4:23 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/14/2010 8:29 AM 1684736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/15/2010 4:23 PM 84264]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FWTOAKOG
*Deregistered* - fwtoakog
*Deregistered* - klmd25
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{75A62F1D-8D4A-443C-AE75-497900CEA76C}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\p0i1h51t.default\
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Ehumoda - c:\windows\kbd320de.dll
HKLM-Run-Ymuxulecugofu - c:\windows\ajizikequwamoh.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 14:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-03-30 14:45:48
ComboFix-quarantined-files.txt 2011-03-30 18:45
.
Pre-Run: 62,722,109,440 bytes free
Post-Run: 62,784,839,680 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 251C113FFFEB4859528B398630C7E39E
Blottedisk
2011-03-31, 00:06
Hi neo_celes,
Please do the following:
Step1 | Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com )
Click on Browse, and upload the following file for analysis:
c:\windows\system32\sfcfiles.dll
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Step 2 | ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
File::
c:\windows\system32\wmnetmgr7.dll
c:\windows\Ixareyajofo.bin
Folder::
c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}
SRPeek::
c:\windows\system32\sfcfiles.dll
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
neo_celes
2011-03-31, 01:47
This is the results from the Virus Total scan
-------------------------------------------------------------------
File name:sfcfiles.dll
Submission date:2011-03-30 22:40:40 (UTC)
Current status:queued queued analysing finished
Result:1/ 41 (2.4%)
Antivirus Version Last update Result
AhnLab-V3 2011.03.30.01 2011.03.30 -
AntiVir 7.11.5.119 2011.03.30 -
Antiy-AVL 2.0.3.7 2011.03.30 -
Avast 4.8.1351.0 2011.03.30 -
Avast5 5.0.677.0 2011.03.30 -
AVG 10.0.0.1190 2011.03.29 -
BitDefender 7.2 2011.03.30 -
CAT-QuickHeal 11.00 2011.03.30 -
ClamAV 0.96.4.0 2011.03.30 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8148 2011.03.29 -
DrWeb 5.0.2.03300 2011.03.30 -
eSafe 7.0.17.0 2011.03.30 -
eTrust-Vet 36.1.8242 2011.03.29 -
F-Prot 4.6.2.117 2011.03.29 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.30 -
GData 22 2011.03.30 -
Ikarus T3.1.1.97.0 2011.03.30 -
Jiangmin 13.0.900 2011.03.29 -
K7AntiVirus 9.94.4241 2011.03.29 -
McAfee 5.400.0.1158 2011.03.30 -
McAfee-GW-Edition 2010.1C 2011.03.30 -
Microsoft 1.6702 2011.03.30 -
NOD32 5998 2011.03.30 -
Norman 6.07.03 2011.03.29 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.29 -
PCTools 7.0.3.5 2011.03.30 -
Prevx 3.0 2011.03.31 -
Rising 23.51.02.03 2011.03.30 -
Sophos 4.64.0 2011.03.30 -
SUPERAntiSpyware 4.40.0.1006 2011.03.30 -
Symantec 20101.3.0.103 2011.03.30 WS.Reputation.1
TheHacker 6.7.0.1.161 2011.03.30 -
TrendMicro 9.200.0.1012 2011.03.30 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.30 -
VBA32 3.12.14.3 2011.03.30 -
VIPRE 8864 2011.03.30 -
ViRobot 2011.3.30.4383 2011.03.30 -
VirusBuster 13.6.276.0 2011.03.29 -
MD5: d2d2aacf1837f465d00ccd93c02816b9
SHA1: 64381e51c739094e7feca0654d08e4841caf222d
SHA256: b8f15f13817b7cac7f519e4ca5edeaff01cec0cae6d98d2e50799eb8324796b0
File size: 1614848 bytes
Scan date: 2011-03-30 22:40:40 (UTC)
neo_celes
2011-03-31, 02:03
Here is the Combo Fix log
-------------------------------------------------------------------------
ComboFix 11-03-29.06 - Home 03/30/2011 18:52:06.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1645 [GMT -4:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\Ixareyajofo.bin"
"c:\windows\system32\wmnetmgr7.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}
c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}\chrome.manifest
c:\windows\Ixareyajofo.bin
c:\windows\system32\wmnetmgr7.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-29 13:35 . 2011-03-29 13:35 -------- d-----w- c:\program files\Common Files\Java
2011-03-28 23:03 . 2011-03-28 23:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-28 19:49 . 2011-03-28 23:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}(2)
2011-03-27 12:31 . 2011-03-27 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-27 12:31 . 2011-03-27 12:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:44 . 2011-03-26 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:05 . 2011-03-26 22:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-03 00:56 . 2011-03-30 13:45 -------- d-----w- c:\documents and settings\Home\Application Data\HPAppData
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 05:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 05:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40 . 2010-10-31 21:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2010-10-31 21:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:42 . 2008-04-14 05:00 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2009-09-13 17:53 1864064 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 02:28 . 2010-10-15 20:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------
.
[-] 2009-09-13 . D2D2AACF1837F465D00CCD93C02816B9 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-03-30_18.43.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-30 18:51 . 2011-03-30 18:51 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AdobeAAMUpdater-1.0"="c:\program files\common files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\common files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-09-13 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\common files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\program files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\program files\\Skype\\Phone\\Skype.exe"=
"c:\\program files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56663:TCP"= 56663:TCP:Pando Media Booster
"56663:UDP"= 56663:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/15/2010 4:23 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\Mcafee\SystemCore\mfefire.exe [10/15/2010 4:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/15/2010 4:23 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/15/2010 4:23 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/15/2010 4:23 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/14/2010 8:29 AM 1684736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/15/2010 4:23 PM 84264]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{75A62F1D-8D4A-443C-AE75-497900CEA76C}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\p0i1h51t.default\
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 18:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-03-30 19:00:15
ComboFix-quarantined-files.txt 2011-03-30 23:00
ComboFix2.txt 2011-03-30 18:45
.
Pre-Run: 62,838,177,792 bytes free
Post-Run: 62,825,766,912 bytes free
.
- - End Of File - - 5447BB2DB543809EE1227EFFB99B7595
Blottedisk
2011-03-31, 04:13
Hi,
Please follow these steps:
Step 1 | Please insert your Windows XP CD into your D: CD-Rom drive. Then:
Go to Start --> Run and type "cmd" (don't include the quotes) and press enter.
A command prompt window will open. Please type the following and then press enter:
expand D:\i386\sfcfiles.dl_ C:\Windows\System32\sfcfiles.dll Reboot your computer.
*IMPORTANT: Please note the spaces between the words "expand" and "D:\" and between the words "sfcfiles.dl_" and "C:\"
Step 2 | Please delete your current version of Combofix. After this, please download Combofix from any of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
--------------------------------------------------------------------
Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
neo_celes
2011-03-31, 05:26
Here's the combofix log
-------------------------------------------------------------------------
ComboFix 11-03-30.01 - Home 03/30/2011 22:17:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1564 [GMT -4:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-29 13:35 . 2011-03-29 13:35 -------- d-----w- c:\program files\Common Files\Java
2011-03-28 23:03 . 2011-03-28 23:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-28 19:49 . 2011-03-28 23:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\{9A86C98D-ACE7-403A-BE71-45D5425B4F3C}(2)
2011-03-27 12:31 . 2011-03-27 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-27 12:31 . 2011-03-27 12:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:44 . 2011-03-26 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 22:05 . 2011-03-26 22:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-03 00:56 . 2011-03-30 13:45 -------- d-----w- c:\documents and settings\Home\Application Data\HPAppData
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 05:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 05:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40 . 2010-10-31 21:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2010-10-31 21:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:42 . 2008-04-14 05:00 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2009-09-13 17:53 1864064 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 02:28 . 2010-10-15 20:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
------- Sigcheck -------
.
[-] 2009-09-13 . D2D2AACF1837F465D00CCD93C02816B9 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-03-30_18.43.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-30 18:51 . 2011-03-30 18:51 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
+ 2010-10-16 01:58 . 2011-03-31 00:35 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-10-16 01:58 . 2011-03-30 18:24 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-03-30 23:23 . 2011-03-31 00:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AdobeAAMUpdater-1.0"="c:\program files\common files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\common files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-09-13 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\program files\\common files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\program files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\program files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\program files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\program files\\Skype\\Phone\\Skype.exe"=
"c:\\program files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\program files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56663:TCP"= 56663:TCP:Pando Media Booster
"56663:UDP"= 56663:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/15/2010 4:23 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/15/2010 4:23 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\Mcafee\SystemCore\mfefire.exe [10/15/2010 4:23 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/15/2010 4:23 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/15/2010 4:23 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/15/2010 4:23 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/14/2010 8:29 AM 1684736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/15/2010 4:23 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/15/2010 4:23 PM 84264]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{75A62F1D-8D4A-443C-AE75-497900CEA76C}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\p0i1h51t.default\
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 22:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-03-30 22:23:49
ComboFix-quarantined-files.txt 2011-03-31 02:23
ComboFix2.txt 2011-03-30 23:00
ComboFix3.txt 2011-03-30 18:45
.
Pre-Run: 62,788,800,512 bytes free
Post-Run: 62,776,651,776 bytes free
.
- - End Of File - - F50E4F59182CE1DB5AE5E8163400823C
Blottedisk
2011-03-31, 05:44
Hi neo_celes,
Could you complete step 1 from my instructions? Did you receive any kind of message?
neo_celes
2011-03-31, 05:47
Hi Blottedisk,
I don't have the Windows XP disk so I couldn't do step one.
Blottedisk
2011-03-31, 18:25
We Need to Diagnose a Possible Problem with WGA.
Please download MGADiag.exe (http://go.microsoft.com/fwlink/?linkid=56062 ) and save it to your desktop.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.
neo_celes
2011-04-01, 00:30
Here's the report. It reported a cryptographic error.
-------------------------------------------------------------------------
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Cryptographic Errors Detected
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-RKPMH-M2WFT-P4WQJ
Windows Product Key Hash: RQOITWLBzl1A5FKfiK7Q4hst0n8=
Windows Product ID: 76487-640-1457236-23632
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {3665C21F-1C74-4BC1-96C8-D1D75A120D05}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: N/A, hr = 0x80004005
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80004005
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: N/A, hr = 0x80004005
WgaLogon.dll Signed By: N/A, hr = 0x80004005
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3665C21F-1C74-4BC1-96C8-D1D75A120D05}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-P4WQJ</PKey><PID>76487-640-1457236-23632</PID><PIDType>1</PIDType><SID>S-1-5-21-1708537768-115176313-1417001333</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.20</Version><SMBIOSVersion major="2" minor="5"/><Date>20090512000000.000000+000</Date></BIOS><HWID>A5B233BF0184A072</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57587</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13683:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A
Blottedisk
2011-04-01, 01:53
It seems from your returned report that your copy of Microsoft Office Professional Edition 2003 is not legitimate.
Validation Status: Blocked VLK
A "Blocked VLK" is a Volume License Key that is valid but was licensed solely to a corporation or larger enterprise/business. Blocked VLKs are Product Keys that Microsoft has received consent from the original owner to block its usage. A VL Product Key is non-transferrable to individuals.
Also, your XP registration key seems to be being used by other computers.
For that reason I'm not able at this point to assist you with the clean up of your computer.
I'm bound by forum policy on this matter. >>> SEE HERE (http://forums.spybot.info/showpost.php?p=25290&postcount=4)
If you purchased this copy of XP from a reseller or retailer, you are a victim and should report this to Microsoft.
In order to resolve your non-genuine licensing issue, please visit:
www.microsoft.com/genuine (http://www.microsoft.com/genuine) and click on "Validate Windows". When validation fails, you'll see a button to click on which will provide information on how to acquire a WGA Kit.
Many people have unlicensed copies of Windows and don't even realise it.
Unfortunately, unlicensed copies of Windows are unable to install the Critical Updates / Service Packs which are vital for the safe and 'relatively' secure running of the Operating System. Our Helpers would be wasting their time fixing an unpatched machine as reinfection is usually immediate.
Your options are:
Obtain and install a valid copy of Windows XP
Install a different OS, such as Linux
Do not connect this computer to the internet
Reformat and re-install each time your system becomes unusable due to malware infestations
neo_celes
2011-04-01, 02:00
I understand, thank you for all your help :)
Blottedisk
2011-04-01, 03:00
You are welcome.
I shall close this topic now.