Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Malware Removal Problems

  1. 2009-07-24, 00:56 #1
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default Malware Removal Problems

    Hi, I'm having some technical issues that I'm hoping someone here can help me with.

    I'm running Windows XP on a Dell Inspiron 8600. I have McAfee on my computer which has told me that I have a Trojan named Vundo on my machine (that it can't remove).

    I did a little bit of research and what I have kind of sounds like Vundo. I can't click on links when I search for stuff on Google or Yahoo or I get sent to some weird 3rd party site that it's the link I clicked. iExplorer will also sometimes run in the background and show ads or play weird audio files.

    I downloaded VundoFix and tried to get rid of it with that, but the program did now find any instances of Vundo.

    I read the information that has been posted on this forum and tried to download both Spybot and HiJack this, but once I download them I can't get them to open... I looked into this a little bit and brought up my Task List and it shows that those files are running, but I can't get their windows to open or anything.

    Can someone help me out here and get me started on the road so I can grab a HiJack this report and start to figure out what's wrong with my machine?

    Thanks.

    Sorry... typo... that should read that VundoFix did NOT find any instances of Vundo.
  2. 2009-07-24, 20:04 #2
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.



    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  3. 2009-07-24, 21:22 #3
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    Thanks for the response. Attached are the DDS reports. I'm having issues attaching the GMER. I get the error message that "Your file of 106.8 KB bytes exceeds the forum's limit of 48.8 KB for this filetype. " and when I try to just cut and paste it here I get the message that "The text that you have entered is too long (109586 characters). Please shorten it to 64000 characters long."

    Please advise. Thanks.
  4. 2009-07-24, 21:25 #4
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    On second thought, I split the GMER into two response below... Let me know if there's a different way you'd like me to get it to you.

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-07-24 15:23:37
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF23A322B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF23A31AB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF23A3255]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF23A31BF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF23A31EB]
    Code 86C86290 ZwEnumerateKey
    Code 86C86740 ZwFlushInstructionCache
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF23A327F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF23A3197]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF23A323F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF23A31D5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF23A3201]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF23A3217]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF23A3295]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF23A3269]
    Code 86C860F6 IofCallDriver
    Code 86C85DF6 IofCompleteRequest
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code 86C86D35 ZwSaveKey
    Code 86C870BD ZwSaveKeyEx

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 86C86D3A
    .text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 86C870C2
    .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86C860FB
    .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86C85DFB
    .text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F23A326D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F23A319B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F23A322F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F23A31AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 86C86294
    PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F23A3243 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP F23A3205 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F23A3299 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F23A3283 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86C86744
    PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F23A321B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F23A31EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F23A31C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F23A3259 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP F23A31D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Java\jre6\bin\jqs.exe[240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008B000A
    .text C:\Program Files\Java\jre6\bin\jqs.exe[240] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008C000A
    .text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E2000A
    .text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AB0000
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AB0F6F
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AB0F8A
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AB0058
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AB0F9B
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AB0FB6
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AB0F4A
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AB009C
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AB0F14
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AB00B7
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02AB00C8
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02AB003D
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02AB0011
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02AB007F
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02AB0022
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02AB0FDB
    .text C:\WINDOWS\Explorer.EXE[356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02AB0F39
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D1001B
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D1007D
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D10FCA
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D1000A
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D1006C
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D10FEF
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D10051
    .text C:\WINDOWS\Explorer.EXE[356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D10036
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D00FB0
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D0003B
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D00FC1
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D00FE3
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D00020
    .text C:\WINDOWS\Explorer.EXE[356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D00FD2
    .text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01DA000A
    .text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01DA001B
    .text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01DA0040
    .text C:\WINDOWS\Explorer.EXE[356] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01DA005B
    .text C:\WINDOWS\Explorer.EXE[356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CF0FE5
    .text C:\WINDOWS\system32\ctfmon.exe[640] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
    .text C:\WINDOWS\system32\ctfmon.exe[640] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
    .text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
    .text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
    .text C:\WINDOWS\system32\services.exe[908] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
    .text C:\WINDOWS\system32\services.exe[908] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01490FEF
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01490065
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01490054
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01490F70
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01490F8D
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01490FB2
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01490091
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 3 Bytes JMP 01490080
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetStartupInfoA + 4 7C801EF6 1 Byte [84]
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014900C7
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01490F2E
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01490F09
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0149002F
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01490FDE
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01490F55
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01490014
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01490FC3
    .text C:\WINDOWS\system32\services.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014900AC
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FCA
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDB
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006001B
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006004A
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0006000A
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F9E
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
    .text C:\WINDOWS\system32\services.exe[908] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FB9
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005F
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD4
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050029
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050044
    .text C:\WINDOWS\system32\services.exe[908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050018
    .text C:\WINDOWS\system32\services.exe[908] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00070000
    .text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00070FEF
    .text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00070FDE
    .text C:\WINDOWS\system32\services.exe[908] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00070FC3
    .text C:\WINDOWS\system32\lsass.exe[920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0090000A
    .text C:\WINDOWS\system32\lsass.exe[920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01550000
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01550F66
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01550F77
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01550F94
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01550FA5
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01550FDB
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01550F1D
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01550F3A
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01550EDD
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01550076
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01550091
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01550FCA
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0155001B
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01550F4B
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01550047
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0155002C
    .text C:\WINDOWS\system32\lsass.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01550F02
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01530FB9
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01530076
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01530FD4
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01530FE5
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01530065
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01530000
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01530040
    .text C:\WINDOWS\system32\lsass.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0153002F
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0152007A
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 0152005F
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01520029
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01520000
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01520044
    .text C:\WINDOWS\system32\lsass.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01520FEF
    .text C:\WINDOWS\system32\lsass.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01510000
    .text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 0154000A
    .text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01540FEF
    .text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01540FDE
    .text C:\WINDOWS\system32\lsass.exe[920] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01540FCD
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D40FEF
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D40F5C
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D40F6D
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D40F94
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D40047
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D40FA5
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D40F29
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D40F3A
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D40EFD
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D4008C
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D400A7
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D4002C
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D4000A
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D40F4B
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D4001B
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D40FD4
    .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D40F0E
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0162001B
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0162005B
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01620FCA
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01620FE5
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01620F94
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01620000
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01620036
    .text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01620FAF
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01610FB4
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 01610FD9
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0161002E
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0161000C
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01610049
    .text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0161001D
    .text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01600FEF
    .text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01630FE5
    .text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 0163000A
    .text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 0163001B
    .text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 0163002C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009A000A
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009B000A
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016F0000
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 016F0089
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 016F006E
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 016F0F94
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 016F0047
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 016F0FC0
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016F0F5E
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016F0F79
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016F0F21
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016F0F3C
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016F0F10
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 016F0FA5
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016F0FEF
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 016F009A
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 016F002C
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 016F001B
    .text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016F0F4D
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014D003D
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014D006C
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014D0022
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014D0011
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014D0FAF
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014D0000
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014D0FCA
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6D, 89]
    .text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014D0FDB
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014C0F8B
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 014C0FA6
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014C000C
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014C0FB7
    .text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014C0FD2
    .text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014B000A
    .text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 016E0FE5
    .text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 016E0000
    .text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 016E0FD4
    .text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 016E0025
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03330FEF
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03330F80
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0333007F
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0333006E
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03330051
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03330FB9
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03330F2D
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03330F48
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03330EF0
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03330F0B
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 033300AE
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03330040
    .text
  5. 2009-07-24, 21:27 #5
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0333000A
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03330F6F
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03330025
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03330FD4
    .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03330F1C
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03310051
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03310FAF
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03310040
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03310025
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0331006C
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0331000A
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03310FD4
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [51, 8B]
    .text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03310FE5
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03300FC3
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 03300FD4
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03300029
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0330000C
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0330003A
    .text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03300FEF
    .text C:\WINDOWS\System32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021F0FEF
    .text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 03320FE5
    .text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 03320FCA
    .text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 03320FAF
    .text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 03320F94
    .text C:\Program Files\iTunes\iTunesHelper.exe[1280] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F6000A
    .text C:\Program Files\iTunes\iTunesHelper.exe[1280] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F7000A
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010FE5
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01010040
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010F4B
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010F66
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0101002F
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01010F9E
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01010F02
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010F1F
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01010EF1
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01010080
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01010ED6
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01010F8D
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01010FD4
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01010F30
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01010FAF
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01010000
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01010065
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD002C
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0062
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FDB
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0011
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0051
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0000
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0FAF
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FC0
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC0044
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0033
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0018
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0FEF
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FC3
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0FDE
    .text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
    .text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00FF0FDE
    .text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00FF0FCD
    .text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00FF0FB2
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F1000A
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F2000A
    .text C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[1400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
    .text C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE[1400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CD000A
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[1412] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CF000A
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[1412] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D0000A
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F37
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F48
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F6F
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F80
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70011
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F0B
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70047
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70093
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70EFA
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70EDF
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F7002C
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70FD4
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F1C
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70000
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FB9
    .text C:\WINDOWS\System32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70078
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50025
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50047
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50FD4
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FE5
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50F8A
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50000
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50036
    .text C:\WINDOWS\System32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50FB9
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FC1
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40042
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FD2
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40027
    .text C:\WINDOWS\System32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
    .text C:\WINDOWS\System32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
    .text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00F60FEF
    .text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00F60FDE
    .text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00F60FCD
    .text C:\WINDOWS\System32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00F60014
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D0000A
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1564] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D1000A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1644] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008E000A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1644] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008F000A
    .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BA000A
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[1812] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CE000A
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[1812] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CF000A
    .text C:\WINDOWS\system32\ZCfgSvc.exe[2012] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0131000A
    .text C:\WINDOWS\system32\ZCfgSvc.exe[2012] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0132000A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A7000A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022D0FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022D0F81
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022D006C
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022D0F92
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022D005B
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022D0040
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022D0F70
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022D00B8
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022D0F3A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022D0F5F
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022D00F8
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022D0FB9
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022D000A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022D0091
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022D002F
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022D0FD4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022D00DD
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 022B0FC0
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 022B0F6F
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 022B0FD1
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 022B0011
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 022B0F80
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 022B0000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 022B002C
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 022B0FA5
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022A0F9C
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!system 77C293C7 5 Bytes JMP 022A0027
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022A0FD2
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022A0FE3
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022A0FB7
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022A000C
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02290FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 022C0FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 022C0FDE
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 022C0FC3
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2100] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 022C0FB2
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[2256] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008A000A
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[2256] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008B000A
    .text C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe[2320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0081000A
    .text C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe[2320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0082000A
    .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2484] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D0000A
    .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2484] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D1000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AA000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AB000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01750000
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01750F74
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01750F8F
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01750069
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01750FAC
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01750FC7
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0175008E
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01750F52
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017500BA
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017500A9
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017500CB
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01750058
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01750011
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01750F63
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0175003D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0175002C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01750F2B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0173000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0173003D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01730FB9
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01730FD4
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0173002C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01730FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01730F8A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [93, 89]
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0173001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01720FA6
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!system 77C293C7 5 Bytes JMP 01720FB7
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01720FE3
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01720000
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01720FC8
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0172001D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01710FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01740000
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 0174001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01740036
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2512] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01740FDB
    .text C:\WINDOWS\System32\RegSrvc.exe[2652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AC000A
    .text C:\WINDOWS\System32\RegSrvc.exe[2652] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AD000A
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01330FEF
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01330F3D
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01330028
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01330F5A
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01330F75
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01330FAB
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01330F07
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01330F18
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01330EF6
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0133008F
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013300AA
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01330F86
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01330FDE
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01330043
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01330FBC
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01330FCD
    .text C:\WINDOWS\System32\svchost.exe[2788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0133006A
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FB2
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F61
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FC3
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FDE
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F7C
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF001E
    .text C:\WINDOWS\System32\svchost.exe[2788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FA1
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0038
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FAD
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD001D
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0000
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FC8
    .text C:\WINDOWS\System32\svchost.exe[2788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FE3
    .text C:\WINDOWS\System32\svchost.exe[2788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC000A
    .text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01320FEF
    .text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01320FDE
    .text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01320FCD
    .text C:\WINDOWS\System32\svchost.exe[2788] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01320FBC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B2000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B3000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00A52306 c:\windows\system32\gasesowo.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C52230
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C52070
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C52050
    .text C:\Program Files\iPod\bin\iPodService.exe[3772] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AD000A
    .text C:\Program Files\iPod\bin\iPodService.exe[3772] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AE000A
    .text C:\Documents and Settings\whitmyer.BWW-LAP-DEL-069\Desktop\crcdpben.exe[5056] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DB000A
    .text C:\Documents and Settings\whitmyer.BWW-LAP-DEL-069\Desktop\crcdpben.exe[5056] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DC000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EE000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00EF000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00290000
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0029006E
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0029005D
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00290F83
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00290F94
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0029002F
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0029007F
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00290F37
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00290F01
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00290F1C
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00290EDC
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00290040
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00290FE5
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 015A2306 c:\windows\system32\gasesowo.dll
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00290F54
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00290FB9
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00290FCA
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0029009A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380FB2
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380054
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00380FC3
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FDE
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00380F97
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00380FEF
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00380039
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380028
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390FBC
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390047
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390022
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390000
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00390FD7
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390011
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C72230
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 015A286C c:\windows\system32\gasesowo.dll
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C72050
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C72030
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!HttpAddRequestHeadersA 7805FB4D 5 Bytes JMP 012D000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01090FEF
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01090FD4
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01090000
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01090011
    .text C:\Program Files\Internet Explorer\Iexplore.exe[6000] WININET.dll!HttpAddRequestHeadersW 780CD14D 5 Bytes JMP 013E000A
  6. 2009-07-24, 21:27 #6
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [356] 0x00F20000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1080] 0x03230000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1188] 0x00C50000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1232] 0x00C50000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1292] 0x00C50000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1448] 0x00C50000
    Library \\?\globalroot\systemroot\system32\UACeoawmsbsridvkwo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2788] 0x00C50000

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- EOF - GMER 1.0.15 ----
  7. 2009-07-24, 23:27 #7
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds.txt log.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  8. 2009-07-25, 00:05 #8
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    I can install ComboFix, but I can't get it to open on my computer, just like I couldn't get Spybot to open (whether in normal or safe modes).

    Please advise.
  9. 2009-07-25, 01:41 #9
    dwhit110
    dwhit110 is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    12

    Default

    Ok, false alarm. I re-downloaded ComboFix and was able to run it. I attached one of the files that you requested...When ComboFix finished running it told me to go to C:\ComboFix to recover the log but that folder appears empty to me, so not sure if this is all that you need or if there's anything else.
  10. 2009-07-25, 09:54 #10
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Please post fresh dds.txt file contents too (re-run DDS).
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules