1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google Redirect Issue

Discussion in 'Malware and Virus Removal Archive' started by Richard M, 2011/06/26.

Page 1 of 2
  1. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    [Resolved] Google Redirect Issue

    Hi,

    I have a google redirect virsus. When a search google and click on the link, it takes me to a completely random website. I am using Windows Vista. I have Mcafee protection, and have ran a full scan but it didn't solve the problem. I have posted the logs as requested below. Any help is very much appreciated!

    Thank - you

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6950

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    26/06/2011 12:39:33
    mbam-log-2011-06-26 (12-39-33).txt

    Scan type: Quick scan
    Objects scanned: 173481
    Time elapsed: 7 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Other logs to follow
     
    Richard M,
    #1
  2. 2011/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, complete all steps listed HERE

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    GMER Log

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-25 23:40:27
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 SAMSUNG_HD321KJ rev.CP100-11
    Running: syvw81z5.exe; Driver: C:\Users\Rich\AppData\Local\Temp\pxldrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0x9A85B7A0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0x9A85B848]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0x9A85B8E4]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0x9A85B980]

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8303C1E8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8303C1FE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8303C1D4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8263B982 5 Bytes JMP 8303C1D8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text ntkrnlpa.exe!KeSetEvent + 3F1 826BCB74 4 Bytes [A0, B7, 85, 9A]
    .text ntkrnlpa.exe!KeSetEvent + 621 826BCDA4 8 Bytes [48, B8, 85, 9A, E4, B8, 85, ...]
    .text ntkrnlpa.exe!KeSetEvent + 681 826BCE04 4 Bytes [80, B9, 85, 9A]
    PAGE ntkrnlpa.exe!NtMapViewOfSection 8282082A 7 Bytes JMP 8303C1EC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82820AED 5 Bytes JMP 8303C202 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    ? system32\DRIVERS\avgrkx86.sys The system cannot find the path specified. !
    ? system32\DRIVERS\AVGIDSEH.Sys The system cannot find the path specified. !
    ? system32\DRIVERS\avgtdix.sys The system cannot find the path specified. !
    ? system32\DRIVERS\AVGIDSShim.Sys The system cannot find the path specified. !
    ? system32\DRIVERS\AVGIDSFilter.Sys The system cannot find the path specified. !
    ? system32\DRIVERS\AVGIDSDriver.Sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[740] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00680FE5
    .text C:\Windows\system32\svchost.exe[740] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00680011
    .text C:\Windows\system32\svchost.exe[740] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00680000
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00660F1F
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 0066006F
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00660EFA
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 0066009B
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 0066004A
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00660FD4
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00660025
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00660F44
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00660F70
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00660FA8
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00660F97
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00660FB9
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00660F55
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00660EE9
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00660FE5
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00660000
    .text C:\Windows\system32\svchost.exe[740] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 0066008A
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00610FB4
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!system 7621804B 5 Bytes JMP 0061003F
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 0061002E
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!_open 7621D106 5 Bytes JMP 00610000
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00610FD9
    .text C:\Windows\system32\svchost.exe[740] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 0061001D
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 005C0062
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 005C0FC0
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 005C0FEF
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 005C0047
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 005C0FAF
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 005C0025
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 005C0000
    .text C:\Windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 005C0036
    .text C:\Windows\system32\svchost.exe[740] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00670FEF
    .text C:\Windows\system32\services.exe[956] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 008D0FEF
    .text C:\Windows\system32\services.exe[956] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 008D0014
    .text C:\Windows\system32\services.exe[956] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 008D0FDE
    .text C:\Windows\system32\services.exe[956] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 008C00A7
    .text C:\Windows\system32\services.exe[956] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 008C0F57
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 008C00E7
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 008C00C2
    .text C:\Windows\system32\services.exe[956] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 008C0071
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 008C0FD4
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 008C0FB9
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 008C0F68
    .text C:\Windows\system32\services.exe[956] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 008C0054
    .text C:\Windows\system32\services.exe[956] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 008C0FA8
    .text C:\Windows\system32\services.exe[956] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 008C0F97
    .text C:\Windows\system32\services.exe[956] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 008C0025
    .text C:\Windows\system32\services.exe[956] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 008C0082
    .text C:\Windows\system32\services.exe[956] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 008C00F8
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 008C0FEF
    .text C:\Windows\system32\services.exe[956] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 008C0000
    .text C:\Windows\system32\services.exe[956] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 008C0F46
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyExA 761139AB 1 Byte [E9]
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00AB0FAF
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00AB0051
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00AB000A
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00AB0FCA
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00AB0F9E
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00AB0025
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00AB0FEF
    .text C:\Windows\system32\services.exe[956] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00AB0036
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_wsystem 76217F2F 3 Bytes JMP 00AD0FB2
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_wsystem + 4 76217F33 1 Byte [8A]
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!system 7621804B 3 Bytes JMP 00AD003D
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!system + 4 7621804F 1 Byte [8A]
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_creat 7621BBE1 3 Bytes JMP 00AD0011
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_creat + 4 7621BBE5 1 Byte [8A]
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_open 7621D106 5 Bytes JMP 00AD0FE3
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_wcreat 7621D326 3 Bytes JMP 00AD002C
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_wcreat + 4 7621D32A 1 Byte [8A]
    .text C:\Windows\system32\services.exe[956] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00AD0000
    .text C:\Windows\system32\services.exe[956] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 00AE0000
    .text C:\Windows\system32\services.exe[956] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 00AE0036
    .text C:\Windows\system32\services.exe[956] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 00AE0025
    .text C:\Windows\system32\services.exe[956] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 00AE0FEF
    .text C:\Windows\system32\services.exe[956] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00AF0FE5
    .text C:\Windows\system32\lsass.exe[976] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 001B0FEF
    .text C:\Windows\system32\lsass.exe[976] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 001B0025
    .text C:\Windows\system32\lsass.exe[976] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 001B000A
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00190F54
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00190F6F
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00190F32
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 001900BF
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 0019007F
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00190FE5
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00190FCA
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00190F80
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0019006E
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00190051
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00190FAF
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00190036
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00190090
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 001900E4
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0019001B
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00190000
    .text C:\Windows\system32\lsass.exe[976] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00190F43
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00250058
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00250FC0
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00250FE5
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 0025003D
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00250F91
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00250011
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00250000
    .text C:\Windows\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 0025002C
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 008C0F89
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!system 7621804B 5 Bytes JMP 008C0014
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 008C0FAB
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!_open 7621D106 5 Bytes JMP 008C0FEF
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 008C0F9A
    .text C:\Windows\system32\lsass.exe[976] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 008C0FD2
    .text C:\Windows\system32\lsass.exe[976] WS2_32.dll!socket 76C836D1 5 Bytes JMP 008D0FEF
    .text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00040FEF
    .text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 0004000A
    .text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00040FD4
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 000100F5
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 000100DA
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00010F79
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00010F8A
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 000100A4
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00010025
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00010040
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00010FA5
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0001007D
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 0001006C
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00010FCA
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 0001005B
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 000100B5
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 0001012B
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00010FE5
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00010000
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00010106
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00060FC8
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!system 7621804B 5 Bytes JMP 00060053
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00060FE3
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_open 7621D106 5 Bytes JMP 00060000
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00060038
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 0006001D
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 0007004E
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 0007002C
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00070000
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 0007003D
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 0007005F
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00070011
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00070FE5
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00070FC0
    .text C:\Windows\System32\svchost.exe[1144] WS2_32.dll!socket 76C836D1 5 Bytes JMP 006A0000
    .text C:\Windows\System32\svchost.exe[1144] wininet.dll!InternetOpenA 764A4E2B 5 Bytes JMP 006B0000
    .text C:\Windows\System32\svchost.exe[1144] wininet.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 006B0025
    .text C:\Windows\System32\svchost.exe[1144] wininet.dll!InternetOpenW 764DC03E 5 Bytes JMP 006B0FEF
    .text C:\Windows\System32\svchost.exe[1144] wininet.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 006B0FD4
    .text C:\Windows\system32\svchost.exe[1256] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 006B000A
    .text C:\Windows\system32\svchost.exe[1256] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 006B0FEF
    .text C:\Windows\system32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 006B0025
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00660F70
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00660F81
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 006600D1
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00660F3A
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00660076
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00660FD4
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00660025
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 006600AC
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0066005B
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00660F9E
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00660040
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00660FB9
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00660091
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00660F1F
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00660FEF
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00660000
    .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00660F5F
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 007B003D
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!system 7621804B 5 Bytes JMP 007B002C
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 007B000A
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_open 7621D106 5 Bytes JMP 007B0FEF
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 007B001B
    .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 007B0FC6
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 006C0FA8
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 006C0FB9
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 006C000A
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 006C004A
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 006C0065
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 006C0FEF
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 006C0025
    .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 006C0FD4
    .text C:\Windows\system32\svchost.exe[1256] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00920000
    .text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 006B0FEF
    .text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 006B000A
    .text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 006B0FD4
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 006A0F13
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 006A0F24
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 006A0EE7
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 006A007E
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 006A003B
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 006A0FB9
     
    Richard M,
    #3
  5. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 006A0FA8
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 006A0F35
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 006A0F61
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 006A0F8D
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 006A0F7C
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 006A0014
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 006A0F50
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 006A0ED6
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 006A0FD4
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 006A0FEF
    .text C:\Windows\system32\svchost.exe[1320] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 006A0F02
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00720F89
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!system 7621804B 5 Bytes JMP 00720014
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00720FB5
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_open 7621D106 5 Bytes JMP 00720FEF
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00720FA4
    .text C:\Windows\system32\svchost.exe[1320] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00720FC6
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 006D0F83
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 006D0F9E
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 006D0FEF
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 006D0025
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 006D0F72
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 006D0000
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 006D0FD4
    .text C:\Windows\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 006D0FB9
    .text C:\Windows\system32\svchost.exe[1320] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00770FE5
    .text C:\Windows\System32\svchost.exe[1480] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00A7000A
    .text C:\Windows\System32\svchost.exe[1480] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00A7001B
    .text C:\Windows\System32\svchost.exe[1480] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00A70FE5
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00A50F2B
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00A50F46
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00A50F10
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00A500A7
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00A50F8D
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00A50FCA
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00A50FAF
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00A50F57
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00A50F9E
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00A50036
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00A50051
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00A5001B
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00A50F72
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00A500B8
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00A50000
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00A50FEF
    .text C:\Windows\System32\svchost.exe[1480] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00A5008C
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00FD0F9A
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!system 7621804B 5 Bytes JMP 00FD0025
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00FD0FB5
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!_open 7621D106 5 Bytes JMP 00FD0FEF
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00FD0014
    .text C:\Windows\System32\svchost.exe[1480] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00FD0FD2
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00FC0051
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00FC0FB9
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00FC0FEF
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00FC0036
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00FC0076
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00FC000A
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00FC0FD4
    .text C:\Windows\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00FC0025
    .text C:\Windows\System32\svchost.exe[1480] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00FE0FE5
    .text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 009B0FEF
    .text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 009B0FD4
    .text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 009B0000
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 009600EB
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 009600D0
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00960F8A
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00960121
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00960093
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00960FDB
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00960FCA
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 009600BF
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00960FB9
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 0096005B
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 0096006C
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00960036
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 009600AE
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00960132
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00960011
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00960000
    .text C:\Windows\System32\svchost.exe[1512] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00960106
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 009C0036
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!system 7621804B 5 Bytes JMP 009C0FAB
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 009C0011
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_open 7621D106 5 Bytes JMP 009C0000
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 009C0FBC
    .text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 009C0FE3
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00950FD1
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00950058
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00950000
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00950073
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00950084
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00950036
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00950025
    .text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00950047
    .text C:\Windows\System32\svchost.exe[1512] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00A50000
    .text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 01130FE5
    .text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 0113001B
    .text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 01130000
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 011200B5
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 01120F6F
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 01120F4A
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 011200E1
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 01120089
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 0112001B
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 0112002C
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 01120F8A
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0112006E
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 01120FC0
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 01120FAF
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 01120047
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 0112009A
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 011200FC
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0112000A
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 01120FEF
    .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 011200D0
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 011C0F9C
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!system 7621804B 5 Bytes JMP 011C0FB7
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 011C0FE3
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_open 7621D106 5 Bytes JMP 011C0000
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 011C0FC8
    .text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 011C001D
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 01090FCD
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 01090FDE
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 01090FEF
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 01090065
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 0109008A
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 01090025
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 0109000A
    .text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 01090040
    .text C:\Windows\system32\svchost.exe[1580] WS2_32.dll!socket 76C836D1 5 Bytes JMP 01350FEF
    .text C:\Windows\system32\svchost.exe[1580] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 01420000
    .text C:\Windows\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 01420FDE
    .text C:\Windows\system32\svchost.exe[1580] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 01420FEF
    .text C:\Windows\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 01420025
    .text C:\Windows\system32\svchost.exe[1676] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00150000
    .text C:\Windows\system32\svchost.exe[1676] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00150FE5
    .text C:\Windows\system32\svchost.exe[1676] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00150011
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00100F43
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00100089
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 001000D0
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 001000BF
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00100F79
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00100FB9
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 0010000A
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 0010006E
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00100053
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00100036
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00100F8A
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00100025
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00100F5E
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00100F14
     
    Richard M,
    #4
  6. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00100FDE
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00100FEF
    .text C:\Windows\system32\svchost.exe[1676] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 001000A4
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00160036
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!system 7621804B 5 Bytes JMP 00160FB5
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00160000
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_open 7621D106 5 Bytes JMP 00160FE3
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 0016001B
    .text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00160FD2
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 000F007A
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 000F004E
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 000F0000
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 000F005F
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 000F0095
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 000F0022
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 000F0011
    .text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 000F003D
    .text C:\Windows\system32\svchost.exe[1676] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00170FEF
    .text C:\Windows\system32\svchost.exe[1740] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 01400FE5
    .text C:\Windows\system32\svchost.exe[1740] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 01400014
    .text C:\Windows\system32\svchost.exe[1740] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 01400FD4
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00CE0F43
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00CE0093
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00CE0F17
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00CE0F28
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00CE0067
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00CE0FCD
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00CE0014
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00CE0F68
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00CE0040
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00CE002F
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00CE0F83
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00CE0FB2
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00CE0078
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00CE00C9
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00CE0FDE
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00CE0FEF
    .text C:\Windows\system32\svchost.exe[1740] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00CE00AE
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 014B0FA8
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!system 7621804B 5 Bytes JMP 014B003D
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 014B0FDE
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!_open 7621D106 5 Bytes JMP 014B0FEF
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 014B0FCD
    .text C:\Windows\system32\svchost.exe[1740] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 014B000C
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00120047
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 0012002C
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00120000
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00120FAF
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00120F80
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00120FD1
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00120011
    .text C:\Windows\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00120FC0
    .text C:\Windows\system32\svchost.exe[1740] WS2_32.dll!socket 76C836D1 5 Bytes JMP 01640FE5
    .text C:\Windows\system32\svchost.exe[1740] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 00DF0FEF
    .text C:\Windows\system32\svchost.exe[1740] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 00DF001B
    .text C:\Windows\system32\svchost.exe[1740] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 00DF0000
    .text C:\Windows\system32\svchost.exe[1740] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 00DF0FCA
    .text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00970000
    .text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00970FD4
    .text C:\Windows\system32\svchost.exe[1960] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00970FE5
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00950095
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00950F4F
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00950F19
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00950F34
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00950F8F
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 0095002C
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 0095003D
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00950084
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00950073
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00950062
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00950FB6
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00950FDB
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00950F7E
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00950F08
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0095001B
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00950000
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 009500B0
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00D10FB9
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!system 7621804B 5 Bytes JMP 00D1003A
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00D10029
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_open 7621D106 5 Bytes JMP 00D10000
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00D10FD4
    .text C:\Windows\system32\svchost.exe[1960] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00D10FEF
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 0094004A
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 0094001E
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00940FE5
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 0094002F
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00940065
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00940FC3
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00940FD4
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00940FB2
    .text C:\Windows\system32\svchost.exe[1960] WS2_32.dll!socket 76C836D1 5 Bytes JMP 0096000A
    .text C:\Windows\system32\svchost.exe[2116] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 007A0FEF
    .text C:\Windows\system32\svchost.exe[2116] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 007A0000
    .text C:\Windows\system32\svchost.exe[2116] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 007A0FCA
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 007800C7
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00780F81
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 007800FD
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00780F66
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 0078007D
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 0078002C
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00780FE5
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 007800A2
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00780FAF
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00780FC0
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00780062
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00780047
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00780F92
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00780118
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0078001B
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 0078000A
    .text C:\Windows\system32\svchost.exe[2116] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 007800E2
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00760069
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!system 7621804B 5 Bytes JMP 00760FD4
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00760044
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!_open 7621D106 5 Bytes JMP 00760000
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00760FEF
    .text C:\Windows\system32\svchost.exe[2116] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 0076001D
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 0007003D
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00070FA5
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00070FE5
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 0007002C
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00070058
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00070011
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00070000
    .text C:\Windows\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00070FC0
    .text C:\Windows\system32\svchost.exe[2116] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00790FEF
    .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 007D0FEF
    .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 007D0FD4
    .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 007D000A
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 007B0F54
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 007B0F6F
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 007B00C6
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 007B0F39
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 007B0F91
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 007B0011
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 007B002C
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 007B0F80
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 007B0FAC
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 007B004E
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 007B005F
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 007B003D
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 007B0086
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 007B0F14
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 007B0FE5
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 007B0000
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 007B00AB
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 007A0049
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!system 7621804B 5 Bytes JMP 007A0FBE
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 007A0038
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_open 7621D106 5 Bytes JMP 007A0000
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 007A0FD9
    .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 007A001D
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 006B0040
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 006B0FB2
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 006B0FEF
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 006B002F
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 006B0F83
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 006B0FD4
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 006B000A
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 006B0FC3
    .text C:\Windows\system32\svchost.exe[2280] WS2_32.dll!socket 76C836D1 5 Bytes JMP 007C0000
    .text C:\Windows\System32\svchost.exe[2308] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00080000
    .text C:\Windows\System32\svchost.exe[2308] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 0008002C
    .text C:\Windows\System32\svchost.exe[2308] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00080011
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 000700AA
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00070099
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00070F1A
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 000700BB
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00070F75
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00070FC3
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00070014
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 0007007E
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00070F86
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00070043
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00070F97
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00070FB2
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00070F64
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00070F09
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00070FDE
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00070FEF
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00070F49
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 00060F92
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!system 7621804B 5 Bytes JMP 00060FAD
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00060FD2
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!_open 7621D106 5 Bytes JMP 0006000C
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 0006001D
    .text C:\Windows\System32\svchost.exe[2308] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00060FE3
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00050F94
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00050FAF
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00050FEF
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00050036
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00050F83
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00050011
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00050000
    .text C:\Windows\System32\svchost.exe[2308] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00050FC0
    .text C:\Windows\System32\svchost.exe[2308] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00660000
     
    Richard M,
    #5
  7. 2011/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go on.....
     
    broni,
    #6
  8. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3108] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 6E7B9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3108] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 6E7B9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00040FEF
    .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00040014
    .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00040FDE
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00010F52
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00010098
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 000100A9
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00010F12
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00010F92
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00010FCA
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00010FB9
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00010F6D
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0001006C
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00010040
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00010051
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00010025
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00010087
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00010EED
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00010FE5
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00010000
    .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00010F37
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 0006004E
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!system 7621804B 5 Bytes JMP 00060FC3
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 00060FDE
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_open 7621D106 5 Bytes JMP 00060000
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 00060033
    .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00070047
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 0007002C
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00070000
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00070FA5
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00070F8A
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00070FDB
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00070011
    .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00070FC0
    .text C:\Windows\system32\svchost.exe[3992] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00080FE5
    .text C:\Windows\Explorer.EXE[4060] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00040000
    .text C:\Windows\Explorer.EXE[4060] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00040011
    .text C:\Windows\Explorer.EXE[4060] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00040FE5
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 000800B0
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00080F6A
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 000800DF
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00080F48
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00080073
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00080FDB
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00080FCA
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 0008009F
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00080058
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00080036
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00080047
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00080FB9
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00080084
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 000800F0
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0008001B
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00080000
    .text C:\Windows\Explorer.EXE[4060] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00080F59
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 000A0054
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 000A0039
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 000A0FEF
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 000A0FA8
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 000A0065
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 000A001E
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 000A0FDE
    .text C:\Windows\Explorer.EXE[4060] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 000A0FCD
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 000B0051
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!system 7621804B 5 Bytes JMP 000B002C
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 000B0FCD
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!_open 7621D106 5 Bytes JMP 000B0FEF
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 000B0FBC
    .text C:\Windows\Explorer.EXE[4060] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 000B0FDE
    .text C:\Windows\Explorer.EXE[4060] WS2_32.dll!socket 76C836D1 5 Bytes JMP 007D0FEF
    .text C:\Windows\Explorer.EXE[4060] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 007E0000
    .text C:\Windows\Explorer.EXE[4060] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 007E0FD4
    .text C:\Windows\Explorer.EXE[4060] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 007E0FE5
    .text C:\Windows\Explorer.EXE[4060] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 007E0FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00140FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00140FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 0014000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00170F30
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00170076
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00170EFA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 00170F15
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00170F66
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00170014
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00170FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00170F4B
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 0017004A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00170FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00170F97
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 0017002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 0017005B
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 00170EE9
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00170FDE
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00170FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00170091
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 0019006C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00190051
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 0019000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00190FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 0019007D
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00190FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 0019001B
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00190036
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!EnableWindow 7635CD8B 5 Bytes JMP 699298BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxParamW 763810B0 5 Bytes JMP 698815E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxIndirectParamW 76382EF5 5 Bytes JMP 69A75E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxParamA 76398152 5 Bytes JMP 69A75E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxIndirectParamA 7639847D 5 Bytes JMP 69A75EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxIndirectA 763AD4D9 5 Bytes JMP 69A75DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxIndirectW 763AD5D3 5 Bytes JMP 69A75D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxExA 763AD639 5 Bytes JMP 69A75CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxExW 763AD65D 5 Bytes JMP 69A75C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 001A0047
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!system 7621804B 5 Bytes JMP 001A0FC6
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 001A002C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!_open 7621D106 5 Bytes JMP 001A0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 001A0FD7
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 001A0011
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!HttpAddRequestHeadersA 76491B9C 5 Bytes JMP 00B76A90
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 001B0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 001B0FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 001B0FDB
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!HttpAddRequestHeadersW 764DF7A8 5 Bytes JMP 00B76C90
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 001B0FAF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4428] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00800000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00040FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 0004002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00040014
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00070098
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00070F52
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 000700C4
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 000700B3
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00070073
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00070011
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00070FC0
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00070F6D
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00070062
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00070FAF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00070051
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 0007002C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00070F7E
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 000700D5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00070000
     
    Richard M,
    #7
  9. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateThread 762BC90E 5 Bytes JMP 698E71CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00070FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 00070F37
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00090FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00090FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00090FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00090FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00090F97
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00090025
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 0009000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00090040
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!SetWindowsHookExW 763587AD 5 Bytes JMP 6992204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!CallNextHookEx 76358E3B 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!CallNextHookEx 76358E3B 5 Bytes JMP 69947A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!UnhookWindowsHookEx 763598DB 5 Bytes JMP 6996E9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!EnableWindow 7635CD8B 5 Bytes JMP 699298BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DefWindowProcA 7635DB88 7 Bytes JMP 698E93F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!CreateWindowExA 7635DC2A 2 Bytes JMP 698F3223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!CreateWindowExA + 3 7635DC2D 2 Bytes [59, F3]
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!CreateWindowExW 76361305 5 Bytes JMP 6994FE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DefWindowProcW 763703B4 7 Bytes JMP 69947AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DialogBoxParamW 763810B0 5 Bytes JMP 698815E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DialogBoxIndirectParamW 76382EF5 5 Bytes JMP 69A75E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DialogBoxParamA 76398152 5 Bytes JMP 69A75E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!DialogBoxIndirectParamA 7639847D 5 Bytes JMP 69A75EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!MessageBoxIndirectA 763AD4D9 5 Bytes JMP 69A75DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!MessageBoxIndirectW 763AD5D3 5 Bytes JMP 69A75D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!MessageBoxExA 763AD639 5 Bytes JMP 69A75CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] USER32.dll!MessageBoxExW 763AD65D 5 Bytes JMP 69A75C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 001A0081
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!system 7621804B 5 Bytes JMP 001A0070
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 001A003A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!_open 7621D106 5 Bytes JMP 001A0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 001A0055
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 001A0029
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] ole32.dll!OleLoadFromStream 752B1E80 5 Bytes JMP 69A7666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetCloseHandle 7648B7C4 5 Bytes JMP 02662C00 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetReadFile 7648EA3A 5 Bytes JMP 02662D20 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!HttpAddRequestHeadersA 76491B9C 5 Bytes JMP 008D6A90
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 001B0FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 001B0FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetConnectA 764B5456 5 Bytes JMP 02662FC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!HttpOpenRequestA 764B5539 5 Bytes JMP 02662EC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 001B0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!HttpAddRequestHeadersW 764DF7A8 5 Bytes JMP 008D6C90
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 001B0FAF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!closesocket 76C8330C 5 Bytes JMP 00B4000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!recv 76C8343A 5 Bytes JMP 0090000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!socket 76C836D1 5 Bytes JMP 002C0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!connect 76C840D9 5 Bytes JMP 0091000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!getaddrinfo 76C8418A 5 Bytes JMP 00B7000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!send 76C8659B 5 Bytes JMP 00B5000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4864] WS2_32.dll!gethostbyname 76C962D4 5 Bytes JMP 00B6000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00040FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 0004001B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00040000
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 00070F4A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00070F5B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00070F1B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 000700B2
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 00070F9B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00070011
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00070FC0
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00070086
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00070075
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00070033
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 0007004E
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 00070022
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00070F76
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 000700CD
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 00070000
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00070FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 000700A1
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00090087
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00090051
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 0009000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00090076
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00090098
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00090036
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00090025
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00090FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!EnableWindow 7635CD8B 5 Bytes JMP 699298BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!DialogBoxParamW 763810B0 5 Bytes JMP 698815E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!DialogBoxIndirectParamW 76382EF5 5 Bytes JMP 69A75E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!DialogBoxParamA 76398152 5 Bytes JMP 69A75E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!DialogBoxIndirectParamA 7639847D 5 Bytes JMP 69A75EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!MessageBoxIndirectA 763AD4D9 5 Bytes JMP 69A75DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!MessageBoxIndirectW 763AD5D3 5 Bytes JMP 69A75D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!MessageBoxExA 763AD639 5 Bytes JMP 69A75CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] USER32.dll!MessageBoxExW 763AD65D 5 Bytes JMP 69A75C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 001A0064
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!system 7621804B 5 Bytes JMP 001A0FD9
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 001A002E
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!_open 7621D106 5 Bytes JMP 001A0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 001A0053
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 001A0011
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!HttpAddRequestHeadersA 76491B9C 5 Bytes JMP 00B06A90
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 001B000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 001B001B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 001B0FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!HttpAddRequestHeadersW 764DF7A8 5 Bytes JMP 00B06C90
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 001B0FC0
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!closesocket 76C8330C 5 Bytes JMP 00F3000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!recv 76C8343A 5 Bytes JMP 00F1000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00ED0FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!connect 76C840D9 5 Bytes JMP 00F2000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!getaddrinfo 76C8418A 5 Bytes JMP 00F6000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!send 76C8659B 5 Bytes JMP 00F4000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7508] WS2_32.dll!gethostbyname 76C962D4 5 Bytes JMP 00F5000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ntdll.dll!NtCreateFile 77354224 5 Bytes JMP 00140FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ntdll.dll!NtCreateProcess 773542E4 5 Bytes JMP 00140014
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ntdll.dll!NtProtectVirtualMemory 77354B84 5 Bytes JMP 00140FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!GetStartupInfoW 76271929 5 Bytes JMP 001700A0
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!GetStartupInfoA 762719C9 5 Bytes JMP 00170F5A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateProcessW 76271BF3 5 Bytes JMP 00170F49
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateProcessA 76271C28 5 Bytes JMP 001700E0
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!VirtualProtect 76271DC3 5 Bytes JMP 0017007B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateNamedPipeA 76272EF5 5 Bytes JMP 00170FDE
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateNamedPipeW 76275C0C 5 Bytes JMP 00170FCD
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreatePipe 76298E6E 5 Bytes JMP 00170F6B
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!LoadLibraryExW 76299109 5 Bytes JMP 00170F97
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!LoadLibraryW 76299362 5 Bytes JMP 00170040
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!LoadLibraryExA 762994B4 5 Bytes JMP 00170FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!LoadLibraryA 762994DC 5 Bytes JMP 0017002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!VirtualProtectEx 7629DBDA 5 Bytes JMP 00170F86
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!GetProcAddress 762B903B 5 Bytes JMP 001700FB
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateFileW 762BAECB 5 Bytes JMP 0017000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateThread 762BC90E 5 Bytes JMP 698E71CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!CreateFileA 762BCE5F 5 Bytes JMP 00170FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] kernel32.dll!WinExec 76305CF7 5 Bytes JMP 001700C5
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegCreateKeyExA 761139AB 5 Bytes JMP 00190051
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegCreateKeyA 76113BA9 5 Bytes JMP 00190025
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegOpenKeyA 761189C7 5 Bytes JMP 00190000
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegCreateKeyW 7612391E 5 Bytes JMP 00190040
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegCreateKeyExW 761241F1 5 Bytes JMP 00190F94
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegOpenKeyExA 76127C42 5 Bytes JMP 00190FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegOpenKeyW 7612E2B5 5 Bytes JMP 00190FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ADVAPI32.dll!RegOpenKeyExW 76137BA1 5 Bytes JMP 00190FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!SetWindowsHookExW 763587AD 5 Bytes JMP 6992204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!CallNextHookEx 76358E3B 1 Byte [E9]
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!CallNextHookEx 76358E3B 5 Bytes JMP 69947A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!UnhookWindowsHookEx 763598DB 5 Bytes JMP 6996E9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!EnableWindow 7635CD8B 5 Bytes JMP 699298BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DefWindowProcA 7635DB88 7 Bytes JMP 698E93F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!CreateWindowExA 7635DC2A 2 Bytes JMP 698F3223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!CreateWindowExA + 3 7635DC2D 2 Bytes [59, F3]
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!CreateWindowExW 76361305 5 Bytes JMP 6994FE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DefWindowProcW 763703B4 7 Bytes JMP 69947AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DialogBoxParamW 763810B0 5 Bytes JMP 698815E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DialogBoxIndirectParamW 76382EF5 5 Bytes JMP 69A75E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DialogBoxParamA 76398152 5 Bytes JMP 69A75E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!DialogBoxIndirectParamA 7639847D 5 Bytes JMP 69A75EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!MessageBoxIndirectA 763AD4D9 5 Bytes JMP 69A75DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!MessageBoxIndirectW 763AD5D3 5 Bytes JMP 69A75D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!MessageBoxExA 763AD639 5 Bytes JMP 69A75CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] USER32.dll!MessageBoxExW 763AD65D 5 Bytes JMP 69A75C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!_wsystem 76217F2F 5 Bytes JMP 001A0064
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!system 7621804B 5 Bytes JMP 001A0053
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!_creat 7621BBE1 5 Bytes JMP 001A001D
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!_open 7621D106 5 Bytes JMP 001A0FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!_wcreat 7621D326 5 Bytes JMP 001A0042
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] msvcrt.dll!_wopen 7621D501 5 Bytes JMP 001A000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] ole32.dll!OleLoadFromStream 752B1E80 5 Bytes JMP 69A7666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetCloseHandle 7648B7C4 5 Bytes JMP 07C12C00 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetReadFile 7648EA3A 5 Bytes JMP 07C12D20 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!HttpAddRequestHeadersA 76491B9C 5 Bytes JMP 00F56A90
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetOpenA 764A4E2B 5 Bytes JMP 001B0FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetOpenUrlA 764ABFCE 5 Bytes JMP 001B002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetConnectA 764B5456 5 Bytes JMP 07C12FC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!HttpOpenRequestA 764B5539 5 Bytes JMP 07C12EC0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetOpenW 764DC03E 5 Bytes JMP 001B000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!HttpAddRequestHeadersW 764DF7A8 5 Bytes JMP 00F56C90
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WININET.dll!InternetOpenUrlW 7650D722 5 Bytes JMP 001B0FDE
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!closesocket 76C8330C 5 Bytes JMP 00FA000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!recv 76C8343A 5 Bytes JMP 00F8000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!socket 76C836D1 5 Bytes JMP 00F40FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!connect 76C840D9 5 Bytes JMP 00F9000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!getaddrinfo 76C8418A 5 Bytes JMP 0111000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!send 76C8659B 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[7584] WS2_32.dll!gethostbyname 76C962D4 5 Bytes JMP 00FC000A
     
    Richard M,
    #8
  10. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[588] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00967740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[588] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [009677A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys
    AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys
    AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys
    AttachedDevice \Driver\tdx \Device\RawIp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:252] 86325E7A
    Thread System [4:256] 86328008
    ---- Processes - GMER 1.0.15 ----

    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [4864] 0x68070000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [4864] 0x6DB90000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [4864] 0x77220000
    Library C:\Program (*** hidden *** ) @ C:\Program [7172] 0x00C50000
    Library C:\Program (*** hidden *** ) @ C:\Program [7172] 0x6D220000
    Library C:\Program (*** hidden *** ) @ C:\Program [7172] 0x60A60000
    Library C:\Program (*** hidden *** ) @ C:\Program [7172] 0x6D320000
    Library C:\Program (*** hidden *** ) @ C:\Program [7172] 0x5F740000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [7584] 0x68070000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [7584] 0x6DB90000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [7584] 0x77220000
    Library C:\Program (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [7584] 0x6FD90000

    ---- EOF - GMER 1.0.15 ----
     
    Richard M,
    #9
  11. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
    Run date: 2011-06-26 09:53:07
    -----------------------------
    09:53:07.962 OS Version: Windows 6.0.6002 Service Pack 2
    09:53:07.962 Number of processors: 2 586 0xF0D
    09:53:07.963 ComputerName: RICH-PC UserName: Rich
    09:53:20.584 Initialize success
    09:53:25.289 AVAST engine defs: 11062501
    09:53:36.478 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    09:53:36.481 Disk 0 Vendor: SAMSUNG_HD321KJ CP100-11 Size: 305245MB BusType: 3
    09:53:38.518 Disk 0 MBR read successfully
    09:53:38.521 Disk 0 MBR scan
    09:53:38.525 Disk 0 unknown MBR code
    09:53:40.529 Disk 0 scanning sectors +625139712
    09:53:40.561 Disk 0 scanning C:\Windows\system32\drivers
    09:53:57.822 Service scanning
    09:54:03.971 Disk 0 trace - called modules:
    09:54:03.995 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8622d1ed]<<
    09:54:03.998 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x855acac8]
    09:54:04.002 3 CLASSPNP.SYS[833db8b3] -> nt!IofCallDriver -> [0x853f5598]
    09:54:04.006 5 acpi.sys[806956bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x853fb8a0]
    09:54:04.344 \Driver\atapi[0x853da968] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8622d1ed
    09:54:06.073 AVAST engine scan C:\Windows
    11:30:08.761 AVAST engine scan C:\Users\Rich
    11:57:45.778 AVAST engine scan C:\ProgramData
    12:16:34.269 Scan finished successfully
    12:17:31.668 Disk 0 MBR has been saved successfully to "C:\Users\Rich\Desktop\MBR.dat "
    12:17:31.700 The log file has been saved successfully to "C:\Users\Rich\Desktop\aswMBR Log.txt "
     
    Richard M,
    #10
  12. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Rich at 12:19:39 on 2011-06-26
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.867 [GMT 1:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\AERTSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Internet Explorer provided by Dell
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110625235450.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [<NO NAME>]
    uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe "
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe "
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\users\rich\appdata\local\temp\low\HSPERF~1.SH!
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/armhelper.ocx
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1A66678A-E40C-44CC-AB19-B244D3147BFB} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{286B4091-C4AC-4E0B-AB28-B443F775CD25} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{6E282C74-7881-43EC-8A87-A06C2E057C4D} : DhcpNameServer = 192.168.1.254
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    mASetup: ccc-core-static - msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 387480]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-24 64584]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-24 165032]
    R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-30 21504]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-13 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-24 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-24 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-24 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-24 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-24 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-24 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-24 56064]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-13 153280]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-13 52320]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-24 314088]
    R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-10-13 464384]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-25 366640]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-24 84488]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-13 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-13 40552]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-26 08:47:00 -------- d-----w- c:\users\rich\appdata\local\{F2DF17A2-2266-45D6-8998-5A1414CF283D}
    2011-06-25 21:06:55 -------- d-----w- c:\users\rich\appdata\roaming\Malwarebytes
    2011-06-25 21:06:20 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-25 21:06:20 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-25 21:06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-25 20:54:34 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{52b78852-8afd-4f81-b153-70b587dfb7aa}\mpengine.dll
    2011-06-25 20:40:59 -------- d-----w- c:\users\rich\appdata\local\{2996F710-4E2C-4DE7-9ACD-AF030261C0B4}
    2011-06-25 08:06:40 -------- d-----w- c:\users\rich\appdata\local\{6A4251C3-E45F-447B-8F69-413266246AFF}
    2011-06-24 18:23:17 -------- d-----w- c:\users\rich\appdata\local\{629AA4D1-8202-4F1A-AE3A-C6FA8FCEF3FF}
    2011-06-23 19:08:02 -------- d-----w- c:\users\rich\appdata\roaming\AVG10
    2011-06-23 19:03:28 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-23 19:03:15 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-23 19:02:55 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-23 19:02:55 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-23 19:02:43 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-23 19:00:52 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-23 18:57:23 -------- d-----w- c:\programdata\AVG10
    2011-06-23 18:53:39 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-23 18:53:39 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-23 18:53:39 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-23 18:53:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-06-23 18:52:38 -------- d-----w- c:\program files\AVG
    2011-06-23 18:40:55 -------- d--h--w- c:\programdata\Common Files
    2011-06-23 18:40:40 -------- d-----w- c:\programdata\MFAData
    2011-06-23 18:33:47 -------- d-----w- c:\users\rich\appdata\local\{DCAAEA2E-B55F-4EB1-92A3-BDA78077C072}
    2011-06-22 19:35:51 -------- d--h--w- c:\users\rich\appdata\local\{4D256AD5-AC41-4698-8102-4118B48A9BCB}
    2011-06-21 06:35:06 -------- d--h--w- c:\users\rich\appdata\local\{3646D278-B2EB-48D5-BBDB-04106E478BED}
    2011-06-20 17:33:49 -------- d--h--w- c:\users\rich\appdata\local\{CC27C027-AF17-4134-8F2A-EFB8AA94FD1B}
    2011-06-19 20:12:04 -------- d--h--w- c:\users\rich\appdata\local\{21D49531-B96A-45DC-9EF7-1D1A5D3CC03C}
    2011-06-16 18:09:38 -------- d--h--w- c:\users\rich\appdata\local\{19825C3C-2A24-4EF0-A5C3-14643B34866B}
    2011-06-15 18:02:45 -------- d--h--w- c:\users\rich\appdata\local\{D081E74E-9764-4434-B39D-8CA80BC0852B}
    2011-06-13 15:11:49 -------- d--h--w- c:\users\rich\appdata\local\{FA903B25-4099-484C-9667-4AE4A68EF5C4}
    2011-06-12 11:50:35 -------- d--h--w- c:\users\rich\appdata\local\{78F706DC-0666-4BBC-9301-76B3166A8DCC}
    2011-06-12 11:45:34 -------- d--h--w- c:\users\rich\appdata\local\{FAF60ECB-9305-4662-9044-5910D081F847}
    2011-06-12 11:33:22 -------- d--h--w- c:\users\rich\appdata\local\{23E63D5F-12F3-44FB-83CF-88867D540D1B}
    2011-06-11 15:17:27 -------- d-----w- c:\program files\iPod
    2011-06-11 15:17:22 -------- d-----w- c:\program files\iTunes
    2011-06-11 11:56:54 -------- d--h--w- c:\users\rich\appdata\local\{4226A22C-B75D-4C09-ACCF-3B05B484ED47}
    2011-06-09 18:24:17 -------- d--h--w- c:\users\rich\appdata\local\{6CBF2BF1-C61E-4D9D-A2FE-B4E27AE6864C}
    2011-06-07 17:43:17 -------- d--h--w- c:\users\rich\appdata\local\{26FE209E-3B59-4429-A85B-77CEF9CC4087}
    2011-06-05 12:07:56 -------- d--h--w- c:\users\rich\appdata\local\{F74958AB-5FD6-454C-A73C-34916A4E943F}
    2011-06-03 18:28:04 -------- d--h--w- c:\users\rich\appdata\local\{63D34430-B8EA-47D6-AC52-612A5768C629}
    2011-05-31 20:21:39 -------- d--h--w- c:\users\rich\appdata\local\{2492702A-BCCC-47AA-A3CC-EF8FEE231734}
    2011-05-27 13:41:48 -------- d--h--w- c:\users\rich\appdata\local\{BA3B3D3C-4662-48F4-8238-730515572B82}
    .
    ==================== Find3M ====================
    .
    2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-04-14 13:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-04-14 13:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-04-14 13:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-04-14 13:01:38 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-04-14 13:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-04-14 13:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-04-14 13:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-04-14 13:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-04-14 13:01:38 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-04-14 13:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-04-09 17:55:44 15453336 ----a-w- c:\windows\system32\xlive.dll
    2011-04-09 17:55:42 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
    2011-04-08 22:20:12 98304 ----a-w- c:\windows\system32CmdLineExt.dll
    2011-04-06 15:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 15:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 15:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    ============= FINISH: 12:20:30.54 ===============
     
    Richard M,
    #11
  13. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 13/09/2007 13:33:36
    System Uptime: 26/06/2011 09:42:49 (3 hours ago)
    .
    Motherboard: Dell Inc. | | 0RY007
    Processor: Intel(R) Core(TM)2 Duo CPU E4400 @ 2.00GHz | Socket 775 | 1600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 288 GiB total, 174.767 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.328 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0.8
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Control Center
    Belkin 54Mbps Wireless Network Adapter
    Bonjour
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Arabic
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Spanish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help English
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Spanish
    CCC Help Thai
    Command & Conquer 3
    CSI-3 Dimensions of Murder 1.0
    D3DX10
    Dell Support Center (Support Software)
    Dell System Customization Wizard
    DellSupport
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) PRO Network Connections 12.1.11.0
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) SE Runtime Environment 6
    Left 4 Dead
    Left 4 Dead 2
    Malwarebytes' Anti-Malware version 1.51.0.1200
    McAfee SecurityCenter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    MobileMe Control Panel
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OGA Notifier 2.0.0048.0
    Police Quest Collection(TM)
    QuickTime
    Realtek High Definition Audio Driver
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Segoe UI
    Skins
    Sonic Activation Module
    Spotify
    Steam
    Theme Hospital
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    URL Assistant
    User's Guides
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    .
    ==== Event Viewer Messages From Past Week ========
    .
    26/06/2011 09:45:45, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    26/06/2011 09:45:45, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    25/06/2011 09:56:14, Error: EventLog [6008] - The previous system shutdown at 09:54:43 on 25/06/2011 was unexpected.
    25/06/2011 09:05:30, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    25/06/2011 09:05:30, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    23/06/2011 23:23:01, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    23/06/2011 23:23:01, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    23/06/2011 23:15:57, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    23/06/2011 19:36:02, Error: Service Control Manager [7022] - The McAfee VirusScan Announcer service hung on starting.
    23/06/2011 19:20:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    23/06/2011 19:14:27, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:47:48, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments " " in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    23/06/2011 18:46:58, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    23/06/2011 18:46:58, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    23/06/2011 18:46:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments " " in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    23/06/2011 18:46:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    23/06/2011 18:46:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    23/06/2011 18:46:21, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    23/06/2011 18:46:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mfehidk mfenlfk mfewfpk NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:14, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    23/06/2011 18:46:09, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    22/06/2011 20:54:40, Error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    22/06/2011 20:54:30, Error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    22/06/2011 20:40:08, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    21/06/2011 18:20:49, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Scanner service to connect.
    21/06/2011 18:20:49, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    21/06/2011 18:20:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service MCODS with arguments " " in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
    21/06/2011 18:19:57, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Font Cache Service service to connect.
    21/06/2011 18:19:57, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    21/06/2011 18:19:27, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    21/06/2011 18:18:57, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    21/06/2011 18:18:56, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
    21/06/2011 18:18:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    21/06/2011 00:21:52, Error: disk [11] - The driver detected a controller error on \Device\Harddisk0\DR0.
    20/06/2011 22:07:52, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
    20/06/2011 22:07:22, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.
    20/06/2011 21:57:23, Error: Microsoft-Windows-Eventlog [23] - The event logging service encountered an error (res=23) while initializing logging resources for channel Microsoft-Windows-ReliabilityAnalysisComponent/Operational.
    20/06/2011 21:45:05, Error: Service Control Manager [7022] - The McAfee Network Agent service hung on starting.
    .
    ==== End Of File ===========================
     
    Richard M,
    #12
  14. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    Is there anything other info you need? Thanks in advance for your help
     
    Richard M,
    #13
  15. 2011/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You did fine :)

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".
     
    broni,
    #14
  16. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows Vista
    Version 6.0.6002 (Service Pack 2)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8CA0E000 C:\Windows\system32\DRIVERS\atikmdag.sys 7897088 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
    0x82638000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
    0x82638000 PnpManager 3907584 bytes
    0x82638000 RAW 3907584 bytes
    0x82638000 WMIxWDM 3907584 bytes
    0x96E40000 Win32k 2113536 bytes
    0x96E40000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8D800000 C:\Windows\system32\drivers\RTKVHDA.sys 2052096 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0x8323E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
    0x830DF000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
    0x8DC54000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
    0x804D6000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
    0x9A30A000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x98234000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
    0x8C623000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x8C701000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x80604000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
    0x8DF64000 C:\Windows\system32\DRIVERS\netr73.sys 491520 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
    0x8306E000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x8040C000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0x9833B000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x83008000 C:\Windows\system32\drivers\mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
    0x9A2B9000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
    0x8DF19000 C:\Windows\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
    0x80729000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8DE0A000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x8068D000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x80495000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
    0x8D40B000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
    0x8C6C3000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x8DE98000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x8D1A2000 C:\Windows\system32\DRIVERS\e1e6032.sys 241664 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 6 deserialized driver)
    0x83203000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x9A240000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x8334E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x8D53D000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x82605000 ACPI_HAL 208896 bytes
    0x82605000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x807C5000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x8DDAA000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8C7A6000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
    0x8D58E000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x805C6000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x8D4FC000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
    0x982F4000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x9CA40000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0x9A291000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x8339E000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
    0x8DD59000 C:\Windows\system32\drivers\mfewfpk.sys 159744 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
    0x806E4000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x8D5BB000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0x8DEF5000 C:\Windows\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
    0x8D479000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x833D6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x9A200000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0x8DC01000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x9A221000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x807A7000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x983A8000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
    0x8DD3E000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x98208000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x983C5000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x8C78E000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x9A279000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x8DEDE000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x8D457000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x9CA96000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0x9CB49000 C:\Windows\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
    0x8DE52000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x8DD80000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
    0x983DE000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8D4BF000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x8DDDC000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 86016 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0x831EA000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
    0x8D4AB000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x8DD96000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
    0x98328000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8DE85000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x9CA0A000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x833C5000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x8D572000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x8047C000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x805B6000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x8DFE7000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
    0x982E4000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8078F000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
    0x8D4D4000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
    0x8C614000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
    0x8DE68000 C:\Windows\system32\DRIVERS\mfenlfk.sys 61440 bytes (McAfee, Inc., McAfee NDIS Light Filter Driver)
    0x8C7EB000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
    0x8338F000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0x8070B000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
    0x8D49C000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x8D1E8000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x8071A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
    0x97080000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
    0x8DE77000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8DC3D000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x8077A000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x8DDF1000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x8D530000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x80680000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
    0x9CA68000 C:\Windows\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
    0x9CB5F000 C:\Windows\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
    0x9A3F2000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x8C7D5000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x8D196000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
    0x9CAAE000 C:\Users\Rich\AppData\Local\Temp\aswMBR.sys 45056 bytes
    0x8D400000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
    0x8CA00000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
    0x8D4E4000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x8D4EF000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
    0x8DC32000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x8D46E000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x8D44C000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x8C600000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8D1DD000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x8C7E1000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x8D526000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x9831E000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x8DED4000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x9A3E8000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x9CB6D000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x833F7000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
    0x8D9F5000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x8DFDE000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0x8DFF7000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x83065000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x8DC4B000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0x97060000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x8C60B000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x806D3000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x8079F000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x8048D000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x8D583000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
    0x8DE00000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0x806DC000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8DC22000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8DC2A000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x83387000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x8D5E7000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x8D5F7000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x80773000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0x80405000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0x9CAB9000 C:\Users\Rich\AppData\Local\Temp\mbr.sys 28672 bytes
    0x8D5E0000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x80788000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8D1F7000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0x9CB6B000 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
    0x9A308000 C:\Windows\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
    0x8D4FA000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x8DFDC000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0x8622D1ED unknown_irp_handler 3603 bytes
    ==============================================
    >Stealth
    ==============================================
    0x8622EA91 Unknown page with executable code, 1391 bytes
    0x8334E000 WARNING: Virus alike driver modification [volsnap.sys], 233472 bytes
    0x8622F191 Unknown page with executable code, 3695 bytes
    0x86231E7A Unknown thread object [ ETHREAD 0x864E5020 ] TID: 256, 600 bytes
    0x86234008 Unknown thread object [ ETHREAD 0x864E5B18 ] TID: 260, 600 bytes
    0x86233CDC Unknown page with executable code, 804 bytes
     
    Richard M,
    #15
  17. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    I have just tried to google again and no more redirection it seems!
     
    Richard M,
    #16
  18. 2011/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #17
  19. 2011/06/26
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    I've ran into some trouble I'm afraid! When I double click on the TDS killer to run the application, nothing happens. I donwloaded it ok and extracted the files, but the application itself doesn't seem to want to run. Any suggestions?
     
    Richard M,
    #18
  20. 2011/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #19
  21. 2011/06/27
    Richard M

    Richard M Inactive Thread Starter

    Joined:
    2011/06/25
    Messages:
    24
    Likes Received:
    0
    Combofix log

    I'm starting to get the hang of this!

    ComboFix 11-06-27.01 - Rich 27/06/2011 18:59:32.1.2 - x86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.2045.1120 [GMT 1:00]
    Running from: c:\users\Rich\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-27 to 2011-06-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-27 18:11 . 2011-06-27 18:11 -------- d-----w- c:\users\Rich\AppData\Local\temp
    2011-06-27 17:17 . 2011-06-27 17:17 -------- d-----w- c:\users\Rich\AppData\Local\{B9F452BD-D8D3-429F-94BB-49588E6C21DE}
    2011-06-26 08:47 . 2011-06-26 08:47 -------- d-----w- c:\users\Rich\AppData\Local\{F2DF17A2-2266-45D6-8998-5A1414CF283D}
    2011-06-25 21:06 . 2011-06-25 21:06 -------- d-----w- c:\users\Rich\AppData\Roaming\Malwarebytes
    2011-06-25 21:06 . 2011-06-25 21:06 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-25 21:06 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-25 21:06 . 2011-06-25 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-25 20:54 . 2011-06-20 07:57 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{52B78852-8AFD-4F81-B153-70B587DFB7AA}\mpengine.dll
    2011-06-25 20:40 . 2011-06-25 20:41 -------- d-----w- c:\users\Rich\AppData\Local\{2996F710-4E2C-4DE7-9ACD-AF030261C0B4}
    2011-06-25 08:06 . 2011-06-25 08:07 -------- d-----w- c:\users\Rich\AppData\Local\{6A4251C3-E45F-447B-8F69-413266246AFF}
    2011-06-24 18:23 . 2011-06-24 18:23 -------- d-----w- c:\users\Rich\AppData\Local\{629AA4D1-8202-4F1A-AE3A-C6FA8FCEF3FF}
    2011-06-23 19:08 . 2011-06-23 19:08 -------- d-----w- c:\users\Rich\AppData\Roaming\AVG10
    2011-06-23 19:03 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-23 19:03 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-23 19:02 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-23 19:02 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-23 19:02 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-23 19:00 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-23 18:57 . 2011-06-26 08:43 -------- d-----w- c:\programdata\AVG10
    2011-06-23 18:53 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-23 18:53 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-23 18:53 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-23 18:53 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-06-23 18:52 . 2011-06-23 18:52 -------- d-----w- c:\program files\AVG
    2011-06-23 18:40 . 2011-06-23 18:40 -------- d--h--w- c:\programdata\Common Files
    2011-06-23 18:40 . 2011-06-25 21:47 -------- d-----w- c:\programdata\MFAData
    2011-06-23 18:33 . 2011-06-23 18:33 -------- d-----w- c:\users\Rich\AppData\Local\{DCAAEA2E-B55F-4EB1-92A3-BDA78077C072}
    2011-06-22 19:35 . 2011-06-22 19:36 -------- d--h--w- c:\users\Rich\AppData\Local\{4D256AD5-AC41-4698-8102-4118B48A9BCB}
    2011-06-21 06:35 . 2011-06-21 06:35 -------- d--h--w- c:\users\Rich\AppData\Local\{3646D278-B2EB-48D5-BBDB-04106E478BED}
    2011-06-20 17:33 . 2011-06-20 17:34 -------- d--h--w- c:\users\Rich\AppData\Local\{CC27C027-AF17-4134-8F2A-EFB8AA94FD1B}
    2011-06-19 20:12 . 2011-06-19 20:12 -------- d--h--w- c:\users\Rich\AppData\Local\{21D49531-B96A-45DC-9EF7-1D1A5D3CC03C}
    2011-06-16 18:09 . 2011-06-16 18:09 -------- d--h--w- c:\users\Rich\AppData\Local\{19825C3C-2A24-4EF0-A5C3-14643B34866B}
    2011-06-15 18:02 . 2011-06-15 18:03 -------- d--h--w- c:\users\Rich\AppData\Local\{D081E74E-9764-4434-B39D-8CA80BC0852B}
    2011-06-13 15:11 . 2011-06-13 15:12 -------- d--h--w- c:\users\Rich\AppData\Local\{FA903B25-4099-484C-9667-4AE4A68EF5C4}
    2011-06-12 11:50 . 2011-06-12 11:50 -------- d--h--w- c:\users\Rich\AppData\Local\{78F706DC-0666-4BBC-9301-76B3166A8DCC}
    2011-06-12 11:45 . 2011-06-12 11:45 -------- d--h--w- c:\users\Rich\AppData\Local\{FAF60ECB-9305-4662-9044-5910D081F847}
    2011-06-12 11:33 . 2011-06-12 11:33 -------- d--h--w- c:\users\Rich\AppData\Local\{23E63D5F-12F3-44FB-83CF-88867D540D1B}
    2011-06-11 15:17 . 2011-06-11 15:17 -------- d-----w- c:\program files\iPod
    2011-06-11 15:17 . 2011-06-11 15:18 -------- d-----w- c:\program files\iTunes
    2011-06-11 11:56 . 2011-06-11 11:57 -------- d--h--w- c:\users\Rich\AppData\Local\{4226A22C-B75D-4C09-ACCF-3B05B484ED47}
    2011-06-09 18:24 . 2011-06-09 18:24 -------- d--h--w- c:\users\Rich\AppData\Local\{6CBF2BF1-C61E-4D9D-A2FE-B4E27AE6864C}
    2011-06-07 17:43 . 2011-06-07 17:43 -------- d--h--w- c:\users\Rich\AppData\Local\{26FE209E-3B59-4429-A85B-77CEF9CC4087}
    2011-06-05 12:07 . 2011-06-05 12:08 -------- d--h--w- c:\users\Rich\AppData\Local\{F74958AB-5FD6-454C-A73C-34916A4E943F}
    2011-06-03 18:28 . 2011-06-03 18:28 -------- d--h--w- c:\users\Rich\AppData\Local\{63D34430-B8EA-47D6-AC52-612A5768C629}
    2011-05-31 20:21 . 2011-05-31 20:22 -------- d--h--w- c:\users\Rich\AppData\Local\{2492702A-BCCC-47AA-A3CC-EF8FEE231734}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-24 18:14 . 2009-10-13 16:36 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-04-14 13:01 . 2010-08-24 15:34 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-04-14 13:01 . 2010-08-24 15:34 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-04-14 13:01 . 2010-08-24 15:34 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-04-14 13:01 . 2010-08-24 15:34 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-04-14 13:01 . 2010-08-24 15:34 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-04-14 13:01 . 2010-08-24 15:34 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-04-14 13:01 . 2010-08-24 15:34 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-04-14 13:01 . 2009-10-13 16:29 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-04-14 13:01 . 2009-10-13 16:29 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-04-14 13:01 . 2009-07-08 12:44 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-04-09 17:55 . 2011-04-09 17:55 15453336 ----a-w- c:\windows\system32\xlive.dll
    2011-04-09 17:55 . 2011-04-09 17:55 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
    2011-04-08 22:20 . 2011-04-08 22:20 98304 ----a-w- c:\windows\system32CmdLineExt.dll
    2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-11-10 4240760]
    "Steam "= "c:\program files\steam\steam.exe" [2010-11-24 1242448]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl "= "RtHDVCpl.exe" [2008-01-17 4907008]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "mcui_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-04-14 64584]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-04-14 165032]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-04-14 141792]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088]
    S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-12-04 464384]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-Nokia FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
    HKLM-Run-F5D7050v3 - c:\program files\Belkin\F5D7050v3\Belkinwcui.exe
    HKU-Default-RunOnce-DelayShred - c:\program files\mcafee\mshr\ShrCL.EXE
    HKLM_ActiveSetup-ccc-core-static - msiexec
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-27 19:11
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-123076629-2821856737-1922197628-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "?? "=hex:bb,1d,15,88,fa,ac,49,53,64,2c,6b,8e,03,41,84,97,7f,01,9a,5d,ba,96,96,
    4e,9d,1c,04,15,a3,cb,93,0c,0a,12,aa,01,8a,f1,ba,16,27,18,2f,79,b0,b2,4c,54,\
    "?? "=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
    .
    [HKEY_USERS\S-1-5-21-123076629-2821856737-1922197628-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu "=hex:4f,90,61,e9,f8,8c,0a,49,79,ba,bd,7f,5f,06,88,40,dd,82,fe,f3,34,
    d0,4a,32,9b,4d,7b,d0,de,78,d8,e1,00,5f,bc,65,c7,10,89,95,61,1a,b9,70,c7,c5,\
    "rkeysecu "=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2948)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    Completion time: 2011-06-27 19:16:21
    ComboFix-quarantined-files.txt 2011-06-27 18:16
    .
    Pre-Run: 187,708,063,744 bytes free
    Post-Run: 188,546,080,768 bytes free
    .
    - - End Of File - - 947928B401958D4A0BF18FB84BB03926
     
    Richard M,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...