Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 42

Thread: FakeAlert Damage

  1. 2011-07-08, 12:54 #21
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Still with us ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  2. 2011-07-10, 15:57 #22
    secWEL
    secWEL is offline
    Junior Member
    Join Date
    Jun 2011
    Location
    Old Warden, England
    Posts
    23

    Default FakeAlert Damage

    Hello ken545

    Sorry I was waiting for an email to tell me you had replied, it will not happen againg I will check the thread frequently.

    I have had trouble with running your "fix" code; yestarday I ranit twice and each there was two copies of the report text displayed on reboot and the computer was locked up. I have tried twice today and was successful with the seconde attempt.

    Here is the report:

    All processes killed
    ========== PROCESSES ==========
    ========== OTL ==========
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    HKU\S-1-5-21-329068152-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Prefs.js: "ALOT Search" removed from browser.search.selectedEngine
    Prefs.js: "http://search.alot.com/web?&src_id=11031&client_id=ba146d35986fdc88e6195cb8&camp_id=38&install_time=2009-08-11T13:33:28Z&tb_version=2.4.11000%28F%29&pr=auto&q=" removed from keyword.URL
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /release /c >
    Windows IP Configuration
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 0.0.0.0
    Subnet Mask . . . . . . . . . . . : 0.0.0.0
    Default Gateway . . . . . . . . . :
    C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
    < ipconfig /renew /c >
    Windows IP Configuration
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . : home
    IP Address. . . . . . . . . . . . : 192.168.1.64
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.254
    C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Could not flush the DNS Resolver Cache: Function failed during execution.
    C:\Documents and Settings\WEL\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\WEL\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.AMD2-3A4FB6A446
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.AMD2-3A4FB6A446.000
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33237 bytes

    User: NetworkService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: WEL
    ->Temp folder emptied: 219913 bytes
    ->Temporary Internet Files folder emptied: 241585 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 9209259 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 810 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 82403 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 9.00 mb


    OTL by OldTimer - Version 3.2.25.0 log created on 07102011_114406

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_cd8.dat not found!
    C:\Documents and Settings\WEL\Local Settings\Temp\WCESLog.log moved successfully.

    Registry entries deleted on Reboot...


    END OF REPORT.

    The computer is very slow and the icons that we retrieved earlier are dimmed,
    but they do run OK. I cannot find many programs using Win Exploerer or Run/Start, but can run them by opening appropriate text files e.g. opening a photograph file starts the photo editor.

    Once again, many thanks for your help.

    secWEL
  3. 2011-07-10, 16:21 #23
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Lets see if this finds anything

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  4. 2011-07-10, 22:42 #24
    secWEL
    secWEL is offline
    Junior Member
    Join Date
    Jun 2011
    Location
    Old Warden, England
    Posts
    23

    Default FakeAlert Damage

    Hello ken545

    Sorry, when I try to run aswMBR.exe I get a messge saying it is not a valid Win32 file. I cannot access the Command Prompt to run it as a DOS file.

    How shall I proceed?

    Thanks
    secWEL
  5. 2011-07-10, 23:32 #25
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Lets try this instead

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click GMER.exe.
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)

        Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
    Please copy and paste the report into your Post.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  6. 2011-07-11, 13:42 #26
    secWEL
    secWEL is offline
    Junior Member
    Join Date
    Jun 2011
    Location
    Old Warden, England
    Posts
    23

    Default FakeAlert Damage

    Hello ken545

    Here is GMER log.

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-07-11 12:37:37
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0 MAXTOR_S rev.3.AA
    Running: gmer.exe; Driver: C:\DOCUME~1\WEL\LOCALS~1\Temp\pfdiypob.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB7E51210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7E51224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7E51250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7E512A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7E511FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7E511D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7E511E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7E5123A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7E5127C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7E51266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7E512D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7E512BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7E51290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7E51294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B7E512AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B7E512C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B7E51280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B7E511D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B7E511EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B7E512D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B7E5126A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B7E5123E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B7E51214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B7E51228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B7E51254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B7E51200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB633F3A0, 0x88C445, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00970000
    .text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00970011
    .text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00970FDB
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00960000
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00960F7E
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00960073
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00960062
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00960FA5
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00960036
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00960F57
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0096009F
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009600F0
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009600CB
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00960F3C
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00960047
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00960011
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0096008E
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00960FCA
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00960FE5
    .text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009600BA
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01590FDB
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01590073
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0159002C
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0159001B
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01590FB6
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01590000
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01590062
    .text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01590047
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01570F7C
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 01570F8D
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01570FCD
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01570FEF
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01570FB2
    .text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01570FDE
    .text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00980000
    .text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00980FE5
    .text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00980FD4
    .text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00980FC3
    .text C:\WINDOWS\Explorer.EXE[632] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
    .text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005001B
    .text C:\WINDOWS\system32\services.exe[1152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0004004A
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0004002F
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F55
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F7C
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004001E
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040093
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040078
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F04
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F15
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040EE9
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040F97
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FDE
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0004005B
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FB2
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FCD
    .text C:\WINDOWS\system32\services.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F30
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0077001B
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F9B
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FCA
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077000A
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770062
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00770051
    .text C:\WINDOWS\system32\services.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770040
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070031
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB0
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FD2
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FC1
    .text C:\WINDOWS\system32\services.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FE3
    .text C:\WINDOWS\system32\services.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0000
    .text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0036
    .text C:\WINDOWS\system32\lsass.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE001B
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40093
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40082
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40FA8
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E4005B
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E4002F
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F70
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F8D
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F29
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F44
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40F0E
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E4004A
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FD4
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E400B8
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40FC3
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4000A
    .text C:\WINDOWS\system32\lsass.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F55
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012F0F9E
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012F0F4D
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012F0FB9
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012F0FCA
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012F0014
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012F0FE5
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012F0F68
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4F, 89]
    .text C:\WINDOWS\system32\lsass.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012F0F8D
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012E004C
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 012E0FC1
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012E0FD2
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012E0FEF
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012E0027
    .text C:\WINDOWS\system32\lsass.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012E000C
    .text C:\WINDOWS\system32\lsass.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AB0FEF
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AB0FC3
    .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB0FD4
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F8A
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0089
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA006E
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0051
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA001B
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6D
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA00B5
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA0106
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00EB
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0117
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0036
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FE5
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA00A4
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FAF
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FC0
    .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00DA
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0036
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE006C
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0025
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0FEF
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FAF
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE000A
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FCA
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
    .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0051
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0FC8
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0053
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD002E
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0000
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FE3
    .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD001D
    .text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FEF
    .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A50FE5
    .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A50FCA
    .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A50000
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FEF
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F5C
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40047
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F6D
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40F8A
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FAF
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40082
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F3A
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A400C9
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A400B8
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A400DA
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A4002C
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40000
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F4B
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FC0
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40011
    .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A4009D
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FC3
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FDE
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90014
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F8D
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FA8
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
    .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9002F
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7002A
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70F9F
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FC1
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FEF
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70FB0
    .text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FD2
    .text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
    .text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01AE0000
    .text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01AE0FDB
    .text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01AE0011
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AD0FEF
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AD0F64
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AD0F75
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AD0F90
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AD004D
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AD0FBC
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AD0F18
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AD006A
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AD0ED1
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AD0EE2
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AD0EB6
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AD0FA1
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AD0014
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AD0F49
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01AD0FCD
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01AD0FDE
    .text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01AD0EFD
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 028D0036
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 028D006C
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 028D001B
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 028D000A
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 028D005B
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 028D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 028D0FB9
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AD, 8A]
    .text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 028D0FCA
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0264004E
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0264003D
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02640018
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02640FEF
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02640FCD
    .text C:\WINDOWS\System32\svchost.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02640FDE
    .text C:\WINDOWS\System32\svchost.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022D0000
    .text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01AF000A
    .text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01AF0FEF
    .text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01AF0025
    .text C:\WINDOWS\System32\svchost.exe[1588] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01AF0036
    .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A70000
    .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A70FDB
    .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A7001B
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60000
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60076
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A6005B
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A6004A
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F8D
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60039
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60098
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A60F5C
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F24
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A60F3F
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A600E2
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FA8
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A60FE5
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60087
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FC3
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60FD4
    .text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A600B3
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FE5
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093001B
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930051
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FAF
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930040
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920036
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920025
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC6
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FAB
    .text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
    .text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FD4
    .text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FC3
    .text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00900014
    .text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
    .text C:\WINDOWS\system32\SearchIndexer.exe[2552] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F21B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 34420FE5
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 34420FCA
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 34420000
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 34410FEF
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 34410093
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 34410078
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 34410F9E
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 3441005B
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 34410039
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 344100CB
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 34410F83
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 34410F4D
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 34410F68
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 34410F32
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 3441004A
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 34410FDE
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 344100A4
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 34410FCD
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 34410014
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 344100E6
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 343F0FB7
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!system 77C293C7 5 Bytes JMP 343F0FC8
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 343F0027
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 343F0000
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 343F0042
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 343F0FEF
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 34400FD4
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 34400F94
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 34400025
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 3440000A
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 34400051
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 34400FEF
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 34400FB9
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, BC]
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 34400036
    .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[3320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 343E0000
    .text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FE5
    .text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0025
    .text C:\WINDOWS\system32\svchost.exe[3700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0000
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F6F
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F8A
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0058
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0047
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FC0
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0095
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F4D
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F21
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F32
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00D5
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FA5
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F5E
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
    .text C:\WINDOWS\system32\svchost.exe[3700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00B0
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD002C
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0062
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FDB
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0011
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FA5
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0047
    .text C:\WINDOWS\system32\svchost.exe[3700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FC0
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FA4
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FB5
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD7
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FC6
    .text C:\WINDOWS\system32\svchost.exe[3700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume12 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume10 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume11 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft@TechLevel 0xED 0x38 0x55 0x6A ...
    Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\LastSetupCommand@
    Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\Rename\File20@ C:\Documents and Settings\WEL\Application Data\Real\Update\UpgradeHelper\RealPlayer\8.01\pnup1.exe|rnupgagent.exe
    Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgClasses@
    Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgComps@
    Reg HKLM\SOFTWARE\Classes\SOFTWARE\RealNetworks\Update\6.0\Preferences\UpgProds@

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\WEL\Local Settings\Temporary Internet Files\Content.IE5\T7OHR148\extended[1].xml 133 bytes

    ---- EOF - GMER 1.0.15 ----

    Thanks
    secWEL
  7. 2011-07-11, 18:16 #27
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    No rootkit Infection

    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  8. 2011-07-12, 16:20 #28
    secWEL
    secWEL is offline
    Junior Member
    Join Date
    Jun 2011
    Location
    Old Warden, England
    Posts
    23

    Default FakeAlert Damage

    Hello ken545

    Not having any success in running the ESET online scanner. I tried with Firefox but got a message that "esetsmartinstaller_enu.exe" is not a valid Win32 application.

    Switched to IE8 and tried several times to run from your link, but each time it either hung after the "Accept terms" button was pressed. It loaded the onlins scanner pop-up and then either hung or closed IE.

    Today I have tried running the scanner directly from the ESET site. The result was much the same, although on one occassion I did see the "Click here to download onlinescanner.cab", but always the program hung or closed IE.

    When it hung I had to use Task Master to close the program.

    On all attempts I had stopped McAfee and MalwareBytes.

    Sorry I do not know what to try next and am feeling completely useless

    Looking forward to your advice again.

    Thanks

    secWEL
  9. 2011-07-12, 18:47 #29
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Try one of these, just need one to run. Online virus scanners act differently on each system, one they run fine and the next it wont run, go figure

    Trendmicro Housecall
    BitDefender Online Scanner
    Mcafee Online Scan
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  10. 2011-07-13, 10:44 #30
    secWEL
    secWEL is offline
    Junior Member
    Join Date
    Jun 2011
    Location
    Old Warden, England
    Posts
    23

    Default FakeAlert Damage

    Hello ken545

    I have run the House Call scan (it looked only at the C: drive) and it reported "no infections". I am having problems with the others , but will try again later.

    How is it that we can run programs (from icons or by opening previosly created files) but they are not listed by "Win Explorer", "All Programs", "Add or Remove" or "Run/Browse"? They are presumably hidden, but were not revealed by the "Unhide" we ran.

    What fun these computers are!

    Thanks

    secWEL
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules