Articles

Google Link Hijacking

December 5, 2009 at 16:11:45
Specs: Windows 7, 2GB RAM, AMD Phenom 2.6GHz Quad Core

I've been getting some weird problems with
Google lately. I click on a link and it
redirects me to another website, often ones
filled with spyware and adware. I've
run a full scan with Ad-Aware and
SuperAntiSpyware and both found quite a bit
of infected cookies and a couple of viruses. I
also have McAfee installed and it
is currently updated. I did a full scan with
HijackThis and I'll include the results
of that in case they can be of any help.

An interesting thing to note is that every once
in a while McAfee will pop up
saying a Generic trojan has been neutralized.
They all are coming from the
Temp folder in C:/Windows/. I've deleted
everything in there except for the files
necessary to run McAfee, and even now I'm
still getting pop ups saying trojans
have been removed from Temp. I don't know
what to do because all of the virus
scans I've done seem to have had little to no
effect on the hijacking. I'm using
Google Chrome by the way.

I tried getting ComboFix, but when
I try to run it from the desktop as per
instructions I get a "Not a valid win32
program" error. I'm using a "non registered"
copy of Windows 7 build 7600
because my 30 day trial just ran out.

edited by moderator: HJT log removed


See More: Google Link Hijacking

Report •


#1
December 5, 2009 at 17:41:53

Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Please download OTL from following site:

Link1

1. Save it to your desktop
2. Double click the OTL icon on your desktop.
3. Click the “scan all users” checkbox.
4. Push the “run scan” button.
5. Two reports will open, copy and paste them in a reply here:
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


Report •

#2
December 5, 2009 at 19:04:28

I saved the first file to my desktop but I got this message in the
command module:

WARNING: could not get backup priviledges!
Searching 'C:\Windows' ...

Cannot access: C:\Windows\CSC\v2.0.6\pq
[1] 2009-11-02 16:49:00 64 C:\Windows\CSC\v2.0.6\pq <>


Report •

#3
December 5, 2009 at 19:08:42

Delete the win32kdiag log file from your desktop that you posted .

Please run win32kdiag.exe again, with the following command to fix some malware related changes.

Click on Start->Run, and copy-paste (or type) the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Report •

Related Solutions

#4
December 6, 2009 at 12:55:37

I still think it didn't work. Most of it was error messages about
how it cannot get permissions for anything.

Running from: C:\Users\Garrett\Desktop\win32kdiag.exe
Log file at : C:\Users\Garrett\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...

Cannot access: C:\Windows\CSC\v2.0.6\pq

Attempting to restore permissions of :
C:\Windows\CSC\v2.0.6\pq

Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{668100a9-
c7f9-11de-8e32-e6db185a89ec}

Attempting to restore permissions of :
C:\Windows\CSC\v2.0.6\temp\ea-{668100a9-c7f9-11de-8e32-
e6db185a89ec}

Cannot access:
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagL
og.etl

Attempting to restore permissions of :
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagL
og.etl

Cannot access:
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEvent
Log-Application.etl

Attempting to restore permissions of :
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEvent
Log-Application.etl

Cannot access:
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventl
og-Security.etl

Attempting to restore permissions of :
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventl
og-Security.etl

Cannot access:
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEvent
Log-System.etl

Attempting to restore permissions of :
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEvent
Log-System.etl

Cannot access:
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM
.etl

Attempting to restore permissions of :
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM
.etl

Finished!


Report •

#5
December 6, 2009 at 13:05:41

ComboFix will not run on 64 bit systems.

See if you run RSIT and OTL from Response #1 and this rootkit detector...GMER.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#6
December 6, 2009 at 13:48:04

It's not 64 bit. I tried to enter in 32 bit but there was no listing under Windows 7 Professional 32-Bit. I explained this
in the first post.

Unfortunately, my 30 day trial of windows ran out recently so I'm apparently using "Windows 7 build 7600: This
build of Windows is not genuine." I'm still working on saving up to buy the operating system so that I can get an
activation key for it.

I did a Gmer scan and got a ton of information from that one. I've tried to upload the contents to the site but perhaps
its too long or something because it won't let me upload it.

So, I uploaded a txt version of it to Scribd so that you can view it:
http://www.scribd.com/doc/23751315

Thanks a million for helping out. I hope this information will help you find out exactly what's wrong with my
computer.


Report •

#7
December 6, 2009 at 14:22:04

Just post it in segments please, may take 3 to 4 post.

Report •

#8
December 6, 2009 at 15:28:38

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 16:44:06
Windows 6.1.7600
Running: vt8f4sm4.exe; Driver: C:\Users\Garrett\AppData\Local\Temp\pwldqpob.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A082D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A07898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A201A8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile
[0x8E38479E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess
[0x8E384762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection
[0x8E3847DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey
[0x8E38481F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess
[0x8E384710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread
[0x8E384724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
ZwProtectVirtualMemory [0x8E3847B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey
[0x8E384833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread
[0x8E38478A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
ZwSetInformationProcess [0x8E384776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess
[0x8E38480B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
ZwUnmapViewOfSection [0x8E3847F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution
[0x8E3847C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A67128 5 Bytes JMP 8E3847CC
\SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A7F579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA3F52 19 Bytes [E0, 0F, BA, F0, 07,
73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\speb.sys The system cannot find the path specified. !
.text a91cgflh.SYS 88F34000 12 Bytes [44, A8, A0, 82, EE, A6, A0,
...]
.text a91cgflh.SYS 88F3400D 9 Bytes [87, A0, 82, 48, AB, A0, 82,
...] {XCHG [EAX-0x5f54b77e], ESP; ADD BYTE [EAX], 0x0}
.text a91cgflh.SYS 88F34017 170 Bytes [00, DE, E7, 72, 83, E6, E5,
...]
.text a91cgflh.SYS 88F340C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
{ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a91cgflh.SYS 88F340CE 4 Bytes [00, 00, 00, 00] {ADD [EAX],
AL; ADD [EAX], AL}
.text ...
.text USBPORT.SYS!DllUnload 8E138CA0 5 Bytes JMP 862FF1D8
.text peauth.sys 96B5EC9D 28 Bytes [CF, E5, D7, A7, 0E, 1E, D2,
...]
.text peauth.sys 96B5ECC1 28 Bytes [CF, E5, D7, A7, 0E, 1E, D2,
...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[524] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
00750F13
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
00750097
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
00750086
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
00750FA8
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
00750F2E
.text C:\Windows\system32\services.exe[524] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
00750F50
.text C:\Windows\system32\services.exe[524] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
0075001E
.text C:\Windows\system32\services.exe[524] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
00750F61
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
00750FD4
.text C:\Windows\system32\services.exe[524] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
00750EF1
.text C:\Windows\system32\services.exe[524] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
00750F8D
.text C:\Windows\system32\services.exe[524] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
00750F7C
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP
00750FE5
.text C:\Windows\system32\services.exe[524] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP
00750061
.text C:\Windows\system32\services.exe[524] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP
00750FC3
.text C:\Windows\system32\services.exe[524] kernel32.dll!WinExec 76D5E695 5 Bytes JMP
00750F02
.text C:\Windows\system32\services.exe[524] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP
00750F3F
.text C:\Windows\system32\services.exe[524] msvcrt.dll!_open 76E37E48 5 Bytes JMP
007A0FEF
.text C:\Windows\system32\services.exe[524] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP
007A0FAD
.text C:\Windows\system32\services.exe[524] msvcrt.dll!system 76E6B16F 5 Bytes JMP
007A0038
.text C:\Windows\system32\services.exe[524] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 007A001D
.text C:\Windows\system32\services.exe[524] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP
007A0FC8
.text C:\Windows\system32\services.exe[524] msvcrt.dll!_wopen 76E70570 5 Bytes JMP
007A000C
.text C:\Windows\system32\services.exe[524] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP
005A0FEF
.text C:\Windows\system32\services.exe[524] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP
005A0014
.text C:\Windows\system32\services.exe[524] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP
005A0FDE
.text C:\Windows\system32\services.exe[524] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP
005A0025
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP
007B0FEF
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP
007B0FAF
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP
007B0040
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP
007B0F9E
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP
007B000A
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP
007B005B
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP
007B001B
.text C:\Windows\system32\services.exe[524] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP
007B0FCA
.text C:\Windows\system32\services.exe[524] WS2_32.dll!socket 75CD3F00 5 Bytes JMP
005B0FEF
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
000900A6
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
000900F0
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
000900CB
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
0009002C
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
00090095
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
00090069
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
00090F91
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
0009004E
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
00090FE5
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
00090101
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
0009003D
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryW 76D228B2 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
00090FB6
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileA 76D228FC 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP
00090000
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP
00090F6C
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP
0009001B
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!WinExec 76D5E695 5 Bytes JMP
00090F5B
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP
0009007A
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_open 76E37E48 5 Bytes JMP 000A0000
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP
000A0F9C
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!system 76E6B16F 5 Bytes JMP
000A0FAD
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 000A0FE3
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 000A0FC8
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 000A001D
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP
0007000A
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP
00070025
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP
00070036
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP
00070FE5
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP
006D0000
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP
006D0047
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP
006D0062
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP
006D0FC0
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP
006D001B
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP
006D0FAF
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP
006D002C
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP
006D0FE5
.text C:\Windows\system32\lsass.exe[536] WS2_32.dll!socket 75CD3F00 5 Bytes JMP
00080000
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
002B0F39
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
002B0F0A
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
002B009F
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
002B0FCA
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
002B0062
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
002B0051
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
002B0F79
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
002B0F8A
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
002B0FE5
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
002B0EF9
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
002B0FAF
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
002B0036
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateFileA 76D228FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP
002B0000
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP
002B007D
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP
002B001B
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!WinExec 76D5E695 5 Bytes JMP
002B008E
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP
002B0F54
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!_open 76E37E48 5 Bytes JMP 00440FEF
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP
00440047
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!system 76E6B16F 5 Bytes JMP
00440FC6
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 0044001B
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 0044002C
.text C:\Windows\system32\svchost.exe[732] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 00440000
.text C:\Windows\system32\svchost.exe[732] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP
00290000
.text C:\Windows\system32\svchost.exe[732] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP
00290FE5
.text C:\Windows\system32\svchost.exe[732] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP
00290FD4
.text C:\Windows\system32\svchost.exe[732] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP
00290FC3
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP
0045000A
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP
00450047
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP
00450073
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP
00450062
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP
0045001B
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP
00450FC0
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP
0045002C
.text C:\Windows\system32\svchost.exe[732] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP
00450FDB
.text C:\Windows\system32\svchost.exe[732] WS2_32.dll!socket 75CD3F00 5 Bytes JMP
002A0FE5
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
005B007A
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
005B0F1B
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
005B00B0
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
005B0FC0
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
005B0069
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
005B0F65
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
005B003D
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
005B0F80
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
005B0000
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
005B0F00
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
005B0022
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
005B0F91
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP
005B0FE5
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP
005B0095
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP
005B0011
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!WinExec 76D5E695 5 Bytes JMP
005B0F2C
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP
005B0058
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_open 76E37E48 5 Bytes JMP
005C0FEF
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP
005C0F9C
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!system 76E6B16F 5 Bytes JMP
005C0FC1
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 005C0FD2
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 005C0031
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wopen 76E70570 5 Bytes JMP
005C0000
.text C:\Windows\system32\svchost.exe[852] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP
00590FE5
.text C:\Windows\system32\svchost.exe[852] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP
0059000A
.text C:\Windows\system32\svchost.exe[852] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP
0059001B
.text C:\Windows\system32\svchost.exe[852] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP
00590FD4
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP
005D0000
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP
005D0FA8
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP
005D0F97
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP
005D0039
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP
005D0FEF
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP
005D0054
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP
005D0FD4
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP
005D0FC3
.text C:\Windows\system32\svchost.exe[852] WS2_32.dll!socket 75CD3F00 5 Bytes JMP
005A0FE5
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
011B0F86
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
011B0F49
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
011B0F5A
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
011B0FE5
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
011B00AF
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
011B0FA8
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
011B0080
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
011B005B
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
011B001B
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
011B0F38
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
011B0FD4
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
011B0FC3
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP
011B000A
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP
011B00CA
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP
011B0036
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!WinExec 76D5E695 5 Bytes JMP
011B0F6B
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP
011B0F97
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_open 76E37E48 5 Bytes JMP 01200000
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP
01200FB4
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!system 76E6B16F 5 Bytes JMP
01200049
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 0120002E
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP
01200FD9
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wopen 76E70570 5 Bytes JMP
01200011
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP
00AF0000
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP
00AF0011
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP
00AF0FDB
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP
00AF0FCA
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP
01210000
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP
01210FDB
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP
01210FA5
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP
01210FC0
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP
01210011
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP
01210062
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP
01210022
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP
01210047
.text C:\Windows\System32\svchost.exe[932] WS2_32.dll!socket 75CD3F00 5 Bytes JMP
00B40000
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP
005B0F6F
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP
005B0F32
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP
005B0F4D
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP
005B0FDB
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP
005B0098
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP
005B006C
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP
005B0F94
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP
005B0051
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP
005B001B
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP
005B00E2
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP
005B0FCA
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP
005B0FAF
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateFileA 76D228FC 1 Byte [E9]


Report •

#9
December 6, 2009 at 15:29:27

.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP 005B0000
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP 005B0F5E
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP 005B0036
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!WinExec 76D5E695 5 Bytes JMP 005B00C7
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP 005B007D
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!_open 76E37E48 5 Bytes JMP 005C0FEF
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP 005C0F84
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!system 76E6B16F 5 Bytes JMP 005C0F95
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 005C0FC1
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 005C0FA6
.text C:\Windows\System32\svchost.exe[992] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 005C0FD2
.text C:\Windows\System32\svchost.exe[992] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP 00460FEF
.text C:\Windows\System32\svchost.exe[992] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP 00460FD4
.text C:\Windows\System32\svchost.exe[992] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP 00460FB9
.text C:\Windows\System32\svchost.exe[992] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP 00460F9E
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 005D0000
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 005D0051
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 005D0073
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 005D0062
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 005D001B
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 005D0084
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 005D002C
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 005D0FDB
.text C:\Windows\System32\svchost.exe[992] WS2_32.dll!socket 75CD3F00 3 Bytes JMP 00590000
.text C:\Windows\System32\svchost.exe[992] WS2_32.dll!socket + 4 75CD3F04 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP 005D005E
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP 005D00C0
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP 005D00A5
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP 005D0FB9
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP 005D0F3F
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 76D150AB 3 Bytes JMP 005D0F61
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtect + 4 76D150AF 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 76D1B6BF 3 Bytes JMP 005D0F7C
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW + 4 76D1B6C3 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 76D1BC8B 3 Bytes JMP 005D0F8D
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA + 4 76D1BC8F 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileW 76D20B5D 3 Bytes JMP 005D0FD4
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileW + 4 76D20B61 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP 005D00D1
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP 005D0025
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP 005D0FA8
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP 005D0FEF
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP 005D0079
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP 005D000A
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!WinExec 76D5E695 5 Bytes JMP 005D008A
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP 005D0F50
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_open 76E37E48 5 Bytes JMP 005E0FEF
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP 005E0F7A
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!system 76E6B16F 5 Bytes JMP 005E0F95
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 005E0FC1
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 005E0FA6
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 005E0FDE
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP 00450000
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP 00450FE5
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP 00450011
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP 00450036
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00BB0FEF
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00BB0FCA
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00BB0051
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00BB0FAF
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00BB000A
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00BB0062
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00BB001B
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00BB002C
.text C:\Windows\system32\svchost.exe[1064] WS2_32.dll!socket 75CD3F00 5 Bytes JMP 00460FE5
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP 0064007D
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP 006400B3
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP 00640F1E
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP 0064001B
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP 0064006C
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP 00640F54
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP 0064002C
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP 00640F79
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP 00640FE5
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP 00640F0D
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP 00640FA5
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP 00640F8A
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateFileA 76D228FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP 00640000
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP 0064008E
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP 00640FCA
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!WinExec 76D5E695 5 Bytes JMP 00640F39
.text C:\Windows\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP 00640047
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_open 76E37E48 5 Bytes JMP 00650000
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP 00650058
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!system 76E6B16F 5 Bytes JMP 00650047
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 00650FCD
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 0065002C
.text C:\Windows\system32\svchost.exe[1196] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 00650011
.text C:\Windows\system32\svchost.exe[1196] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP 005A0FEF
.text C:\Windows\system32\svchost.exe[1196] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP 005A0014
.text C:\Windows\system32\svchost.exe[1196] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP 005A002F
.text C:\Windows\system32\svchost.exe[1196] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP 005A004A
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00AA0000
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00AA0FCA
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00AA0F9E
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00AA0FAF
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00AA0FEF
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00AA0051
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00AA0025
.text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00AA0036
.text C:\Windows\system32\svchost.exe[1196] WS2_32.dll!socket 75CD3F00 5 Bytes JMP 005B0FEF
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP 006200AC
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP 00620F2B
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP 00620F3C
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP 00620FEF
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP 00620F83
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP 00620F9E
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP 00620076
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP 00620FB9
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP 0062001B
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP 006200DB
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP 0062005B
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP 00620FD4
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP 0062000A
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP 00620F5E
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP 00620040
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!WinExec 76D5E695 5 Bytes JMP 00620F4D
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP 00620091
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!_open 76E37E48 5 Bytes JMP 00630FEF
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP 00630058
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!system 76E6B16F 5 Bytes JMP 00630033
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!_creat 76E6ED29 5 Bytes JMP 00630FDE
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!_wcreat 76E7038E 5 Bytes JMP 00630FC3
.text C:\Windows\system32\svchost.exe[1368] msvcrt.dll!_wopen 76E70570 5 Bytes JMP 00630018
.text C:\Windows\system32\svchost.exe[1368] WININET.dll!InternetOpenA 758B7E1C 5 Bytes JMP 005C0FE5
.text C:\Windows\system32\svchost.exe[1368] WININET.dll!InternetOpenW 758B9DA0 5 Bytes JMP 005C000A
.text C:\Windows\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 758BDC18 5 Bytes JMP 005C0025
.text C:\Windows\system32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 7590DC14 5 Bytes JMP 005C0FD4
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 773AD2ED 5 Bytes JMP 00B40FEF
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 773AD3C1 5 Bytes JMP 00B40040
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 773B1B71 5 Bytes JMP 00B40FAF
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 773B1CC0 5 Bytes JMP 00B4005B
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 773B3129 5 Bytes JMP 00B40FD4
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 773BB946 5 Bytes JMP 00B40F94
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 773BBC0D 5 Bytes JMP 00B4000A
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 773BBEC4 5 Bytes JMP 00B4002F
.text C:\Windows\system32\svchost.exe[1368] WS2_32.dll!socket 75CD3F00 5 Bytes JMP 005D0000
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 76CD1DF0 5 Bytes JMP 00AD00C0
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateProcessW 76CD202D 5 Bytes JMP 00AD0F50
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateProcessA 76CD2062 5 Bytes JMP 00AD0F6B
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 76D01FD6 5 Bytes JMP 00AD0FC3
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreatePipe 76D04A8B 5 Bytes JMP 00AD0FA1
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!VirtualProtect 76D150AB 5 Bytes JMP 00AD008A
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 76D1B6BF 5 Bytes JMP 00AD006F
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 76D1BC8B 5 Bytes JMP 00AD0FB2
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateFileW 76D20B5D 5 Bytes JMP 00AD0FDE
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!GetProcAddress 76D21837 5 Bytes JMP 00AD0100
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!LoadLibraryA 76D22864 5 Bytes JMP 00AD002F
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!LoadLibraryW 76D228B2 5 Bytes JMP 00AD004A
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateFileA 76D228FC 5 Bytes JMP 00AD0FEF
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 76D27CB5 5 Bytes JMP 00AD0F7C
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 76D5D4DF 5 Bytes JMP 00AD0014
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!WinExec 76D5E695 5 Bytes JMP 00AD00DB
.text C:\Windows\system32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 76D5F651 5 Bytes JMP 00AD00AF
.text C:\Windows\system32\svchost.exe[1612] msvcrt.dll!_open 76E37E48 5 Bytes JMP 00AE0000
.text C:\Windows\system32\svchost.exe[1612] msvcrt.dll!_wsystem 76E6B04F 5 Bytes JMP 00AE002C
.text C:\Windows\system32\svchost.exe[1612] msvcrt.dll!system 76E6B16F 5 Bytes JMP 00AE001B

Report •

#10
December 6, 2009 at 15:29:54

.text C:\Windows\system32\svchost.exe[1612]
msvcrt.dll!_creat
76E6ED29 5 Bytes JMP 00AE0FC6
.text C:\Windows\system32\svchost.exe[1612]
msvcrt.dll!_wcreat
76E7038E 5 Bytes JMP 00AE0FB5
.text C:\Windows\system32\svchost.exe[1612]
msvcrt.dll!_wopen
76E70570 5 Bytes JMP 00AE0FD7
.text C:\Windows\system32\svchost.exe[1612]
WININET.dll!InternetOpenA
758B7E1C 5 Bytes JMP 00AB0000
.text C:\Windows\system32\svchost.exe[1612]
WININET.dll!InternetOpenW
758B9DA0 5 Bytes JMP 00AB0FDB
.text C:\Windows\system32\svchost.exe[1612]
WININET.dll!InternetOpenUrlA
758BDC18 5 Bytes JMP 00AB0011
.text C:\Windows\system32\svchost.exe[1612]
WININET.dll!InternetOpenUrlW
7590DC14 5 Bytes JMP 00AB0036
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegOpenKeyA
773AD2ED 5 Bytes JMP 00AF0FEF
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegCreateKeyA
773AD3C1 5 Bytes JMP 00AF0FB2
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegCreateKeyExA
773B1B71 5 Bytes JMP 00AF004D
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegCreateKeyW
773B1CC0 5 Bytes JMP 00AF0FA1
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegOpenKeyW
773B3129 5 Bytes JMP 00AF0FDE
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegCreateKeyExW
773BB946 5 Bytes JMP 00AF0F90
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegOpenKeyExA
773BBC0D 5 Bytes JMP 00AF0FCD
.text C:\Windows\system32\svchost.exe[1612]
ADVAPI32.dll!RegOpenKeyExW
773BBEC4 5 Bytes JMP 00AF0028
.text C:\Windows\system32\svchost.exe[1612]
WS2_32.dll!socket
75CD3F00 5 Bytes JMP 00AC0FE5
.text
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1
836] kernel32.dll!LoadLibraryA
76D22864 5 Bytes JMP 0041C130
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
(McAfee Proxy Service Module/McAfee, Inc.)
.text
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1
836] kernel32.dll!LoadLibraryW
76D228B2 5 Bytes JMP 0041C1B0
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
(McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!GetStartupInfoA
76CD1DF0 5 Bytes JMP 00060F43
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateProcessW
76CD202D 5 Bytes JMP 00060F0A
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateProcessA
76CD2062 5 Bytes JMP 000600A9
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateNamedPipeW
76D01FD6 5 Bytes JMP 00060FB9
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreatePipe
76D04A8B 5 Bytes JMP 00060F54
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!VirtualProtect
76D150AB 5 Bytes JMP 00060051
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!LoadLibraryExW
76D1B6BF 5 Bytes JMP 00060036
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!LoadLibraryExA
76D1BC8B 5 Bytes JMP 00060F79
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateFileW
76D20B5D 5 Bytes JMP 00060FE5
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!GetProcAddress
76D21837 5 Bytes JMP 000600C4
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!LoadLibraryA
76D22864 5 Bytes JMP 00060F9E
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!LoadLibraryW
76D228B2 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateFileA
76D228FC 5 Bytes JMP 0006000A
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!GetStartupInfoW
76D27CB5 5 Bytes JMP 0006007D
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!CreateNamedPipeA
76D5D4DF 5 Bytes JMP 00060FD4
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!WinExec
76D5E695 5 Bytes JMP 0006008E
.text C:\Windows\system32\svchost.exe[2744]
kernel32.dll!VirtualProtectEx
76D5F651 5 Bytes JMP 00060062
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!_open
76E37E48 5 Bytes JMP 000F000C
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!_wsystem
76E6B04F 5 Bytes JMP 000F0FC1
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!system
76E6B16F 5 Bytes JMP 000F0042
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!_creat
76E6ED29 5 Bytes JMP 000F001D
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!_wcreat
76E7038E 5 Bytes JMP 000F0FD2
.text C:\Windows\system32\svchost.exe[2744]
msvcrt.dll!_wopen
76E70570 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\svchost.exe[2744]
WININET.dll!InternetOpenA
758B7E1C 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[2744]
WININET.dll!InternetOpenW
758B9DA0 5 Bytes JMP 0018001B
.text C:\Windows\system32\svchost.exe[2744]
WININET.dll!InternetOpenUrlA
758BDC18 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[2744]
WININET.dll!InternetOpenUrlW
7590DC14 5 Bytes JMP 00180FD4
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegOpenKeyA
773AD2ED 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegCreateKeyA
773AD3C1 5 Bytes JMP 0019004A
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegCreateKeyExA
773B1B71 5 Bytes JMP 00190FC3
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegCreateKeyW
773B1CC0 5 Bytes JMP 00190065
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegOpenKeyW
773B3129 5 Bytes JMP 00190025
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegCreateKeyExW
773BB946 5 Bytes JMP 00190FA8
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegOpenKeyExA
773BBC0D 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[2744]
ADVAPI32.dll!RegOpenKeyExW
773BBEC4 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[2744]
WS2_32.dll!socket
75CD3F00 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!GetStartupInfoA
76CD1DF0 3 Bytes JMP 00590F4D
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!GetStartupInfoA + 4
76CD1DF4 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateProcessW
76CD202D 3 Bytes JMP 00590EF2
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateProcessW + 4
76CD2031 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateProcessA
76CD2062 3 Bytes JMP 00590091
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateProcessA + 4
76CD2066 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateNamedPipeW
76D01FD6 5 Bytes JMP 0059000A
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreatePipe
76D04A8B 5 Bytes JMP 0059006C
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!VirtualProtect
76D150AB 5 Bytes JMP 00590F6F
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!LoadLibraryExW
76D1B6BF 5 Bytes JMP 0059003D
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!LoadLibraryExA
76D1BC8B 5 Bytes JMP 0059002C
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateFileW
76D20B5D 5 Bytes JMP 00590FCA
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!GetProcAddress
76D21837 5 Bytes JMP 00590ED7
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!LoadLibraryA
76D22864 5 Bytes JMP 0059001B
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!LoadLibraryW
76D228B2 5 Bytes JMP 00590F94
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateFileA
76D228FC 5 Bytes JMP 00590FE5
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!GetStartupInfoW
76D27CB5 5 Bytes JMP 00590F32
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!CreateNamedPipeA
76D5D4DF 5 Bytes JMP 00590FB9
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!WinExec
76D5E695 5 Bytes JMP 00590F17
.text C:\Windows\system32\svchost.exe[2976]
kernel32.dll!VirtualProtectEx
76D5F651 5 Bytes JMP 00590F5E
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!_open
76E37E48 5 Bytes JMP 005A0000
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!_wsystem
76E6B04F 5 Bytes JMP 005A0042
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!system
76E6B16F 5 Bytes JMP 005A0031
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!_creat
76E6ED29 5 Bytes JMP 005A0FD2
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!_wcreat
76E7038E 5 Bytes JMP 005A0FC1
.text C:\Windows\system32\svchost.exe[2976]
msvcrt.dll!_wopen
76E70570 5 Bytes JMP 005A0FE3
.text C:\Windows\system32\svchost.exe[2976]
WININET.dll!InternetOpenA
758B7E1C 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[2976]
WININET.dll!InternetOpenW
758B9DA0 5 Bytes JMP 002C001B
.text C:\Windows\system32\svchost.exe[2976]
WININET.dll!InternetOpenUrlA
758BDC18 5 Bytes JMP 002C0FE5
.text C:\Windows\system32\svchost.exe[2976]
WININET.dll!InternetOpenUrlW
7590DC14 5 Bytes JMP 002C0FCA
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegOpenKeyA
773AD2ED 5 Bytes JMP 005B000A
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegCreateKeyA
773AD3C1 5 Bytes JMP 005B0FA8
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegCreateKeyExA
773B1B71 5 Bytes JMP 005B0040
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegCreateKeyW
773B1CC0 5 Bytes JMP 005B002F
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegOpenKeyW
773B3129 5 Bytes JMP 005B0FEF
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegCreateKeyExW
773BB946 5 Bytes JMP 005B0051
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegOpenKeyExA
773BBC0D 5 Bytes JMP 005B0FD4
.text C:\Windows\system32\svchost.exe[2976]
ADVAPI32.dll!RegOpenKeyExW
773BBEC4 5 Bytes JMP 005B0FC3
.text C:\Windows\system32\svchost.exe[2976]
WS2_32.dll!socket
75CD3F00 5 Bytes JMP 00460000
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!GetStartupInfoA
76CD1DF0 5 Bytes JMP 000600C7
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateProcessW
76CD202D 5 Bytes JMP 00060F50
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateProcessA
76CD2062 5 Bytes JMP 00060F61
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateNamedPipeW
76D01FD6 5 Bytes JMP 0006002C
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreatePipe
76D04A8B 5 Bytes JMP 00060F94
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!VirtualProtect
76D150AB 5 Bytes JMP 00060FB6
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!LoadLibraryExW
76D1B6BF 5 Bytes JMP 00060098
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!LoadLibraryExA
76D1BC8B 5 Bytes JMP 00060073
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateFileW
76D20B5D 5 Bytes JMP 00060FE5
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!GetProcAddress
76D21837 5 Bytes JMP 00060100
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!LoadLibraryA
76D22864 5 Bytes JMP 00060051
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!LoadLibraryW
76D228B2 5 Bytes JMP 00060062
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateFileA
76D228FC 1 Byte [E9]
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateFileA
76D228FC 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!GetStartupInfoW
76D27CB5 5 Bytes JMP 00060F83
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!CreateNamedPipeA
76D5D4DF 5 Bytes JMP 0006001B
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!WinExec
76D5E695 5 Bytes JMP 00060F72
.text C:\Windows\Explorer.EXE[3980]
kernel32.dll!VirtualProtectEx
76D5F651 5 Bytes JMP 00060FA5
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegOpenKeyA
773AD2ED 5 Bytes JMP 00080000
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegCreateKeyA
773AD3C1 5 Bytes JMP 0008005B
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegCreateKeyExA
773B1B71 5 Bytes JMP 00080080
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegCreateKeyW
773B1CC0 5 Bytes JMP 00080FD4
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegOpenKeyW
773B3129 5 Bytes JMP 00080FEF
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegCreateKeyExW
773BB946 5 Bytes JMP 00080FC3
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegOpenKeyExA
773BBC0D 5 Bytes JMP 0008002F
.text C:\Windows\Explorer.EXE[3980]
ADVAPI32.dll!RegOpenKeyExW
773BBEC4 5 Bytes JMP 00080040
.text C:\Windows\Explorer.EXE[3980] msvcrt.dll!_open
76E37E48 5 Bytes JMP 00090000
.text C:\Windows\Explorer.EXE[3980]
msvcrt.dll!_wsystem
76E6B04F 5 Bytes JMP 00090066
.text C:\Windows\Explorer.EXE[3980]
msvcrt.dll!system
76E6B16F 5 Bytes JMP 00090FDB
.text C:\Windows\Explorer.EXE[3980] msvcrt.dll!_creat
76E6ED29 5 Bytes JMP 0009003A
.text C:\Windows\Explorer.EXE[3980]
msvcrt.dll!_wcreat
76E7038E 5 Bytes JMP 0009004B
.text C:\Windows\Explorer.EXE[3980]
msvcrt.dll!_wopen
76E70570 5 Bytes JMP 0009001D
.text C:\Windows\Explorer.EXE[3980]
WININET.dll!InternetOpenA
758B7E1C 5 Bytes JMP 002A0FEF
.text C:\Windows\Explorer.EXE[3980]
WININET.dll!InternetOpenW
758B9DA0 5 Bytes JMP 002A0000
.text C:\Windows\Explorer.EXE[3980]
WININET.dll!InternetOpenUrlA
758BDC18 5 Bytes JMP 002A0011
.text C:\Windows\Explorer.EXE[3980]
WININET.dll!InternetOpenUrlW
7590DC14 5 Bytes JMP 002A0FC0
.text C:\Windows\Explorer.EXE[3980]
WS2_32.dll!socket
75CD3F00 5 Bytes JMP 00900000

Report •

#11
December 6, 2009 at 15:30:11

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT
\SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!Ata
PortReadPortUchar] [83624042]
\SystemRoot\System32\Drivers\speb.sys
IAT
\SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!Ata
PortWritePortUchar] [836246D6]
\SystemRoot\System32\Drivers\speb.sys
IAT
\SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!Ata
PortWritePortBufferUshort]
[83624800] \SystemRoot\System32\Drivers\speb.sys
IAT
\SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!Ata
PortReadPortBufferUshort]
[8362413E] \SystemRoot\System32\Drivers\speb.sys
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortNotification] 00147880
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortQuerySystemTime] 78800C75
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortReadPortUchar] 06750015
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortStallExecution] C25DC033
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortWritePortUchar] 458B0008
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortWritePortUlong] 6A006A08
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortGetPhysicalAddress] 50056A24
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortConvertPhysicalAddressToUlong]
005AB7E8
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortGetScatterGatherList] 0001B800
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortGetParentBusType] C25D0000
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortRequestCallback] CCCC0008
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortWritePortBufferUshort]
CCCCCCCC
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortGetUnCachedExtension]
CCCCCCCC
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortCompleteRequest]
CCCCCCCC
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortCopyMemory] 53EC8B55
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortEtwTraceLog] 800C5D8B
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortCompleteAllActiveRequests]
7500117B
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortReleaseRequestSenseIrb]
127B806A
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortBuildRequestSenseIrb] 80647500
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortReadPortBufferUshort] 7500137B
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortInitialize] 157B805E
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortGetDeviceBase] 56587500
IAT
\SystemRoot\System32\Drivers\a91cgflh.SYS[ataport.SYS!At
aPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\USER32.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\GDI32.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\SHLWAPI.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\WININET.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\ADVAPI32.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1852] @
C:\Windows\system32\CRYPT32.dll
[KERNEL32.dll!GetProcAddress] [754E5D3D]
C:\Windows\system32\apphelp.dll (Application Compatibility
Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs
84C7A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs
mfehidk.sys (Host Intrusion Detection Link Driver/McAfee,
Inc.)

Device \Driver\volmgr \Device\VolMgrControl
84C761F8
Device \Driver\usbohci \Device\USBPDO-0
862F91F8
Device \Driver\usbehci \Device\USBPDO-1
863011F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{8E0300DB-
432D-4D60-AB2F-70DEB0DDD044}
86292380
Device \Driver\usbohci \Device\USBPDO-2
862F91F8
Device \Driver\ACPI_HAL \Device\00000053
halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft
Corporation)
Device \Driver\usbehci \Device\USBPDO-3
863011F8
Device \Driver\PCI_PNP7408 \Device\00000060
speb.sys

AttachedDevice \Driver\tdx \Device\Tcp
Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\volmgr \Device\HarddiskVolume1
84C761F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1
fvevol.sys (BitLocker Drive Encryption Driver/Microsoft
Corporation)

Device \Driver\cdrom \Device\CdRom0
860CE1F8
Device \Driver\atapi \Device\Ide\IdePort0
84C781F8
Device \Driver\atapi \Device\Ide\IdePort1
84C781F8
Device \Driver\atapi \Device\Ide\IdePort2
84C781F8
Device \Driver\atapi \Device\Ide\IdePort3
84C781F8
Device \Driver\atapi \Device\Ide\IdePort4
84C781F8
Device \Driver\atapi \Device\Ide\IdePort5
84C781F8
Device \Driver\atapi \Device\Ide\IdePort6
84C781F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-0
84C781F8
Device \Driver\NetBT \Device\NetBt_Wins_Export
86292380
Device \Driver\NetBT \Device\NetBT_Tcpip_{E9771D07-
5BFA-40C9-91CA-6E3467545CF5}
86292380

AttachedDevice \Driver\tdx \Device\Udp
Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp
Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\PCI_PNP7408 \Device\0000005f
speb.sys
Device \Driver\usbohci \Device\USBFDO-0
862F91F8
Device \Driver\usbehci \Device\USBFDO-1
863011F8
Device \Driver\usbohci \Device\USBFDO-2
862F91F8
Device \Driver\usbehci \Device\USBFDO-3
863011F8
Device \Driver\sptd \Device\2786117408
speb.sys
Device \Driver\a91cgflh \Device\Scsi\a91cgflh1
860FA500
Device -> \Driver\atapi \Device\Harddisk0\DR0
85A64618

---- Registry - GMER 1.0.15 ----

Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1
771343423
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2
285507792
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0
1
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@u0
0x38 0x0F 0x98 0x02 ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@p0
C:\Program Files\DAEMON Tools Pro\
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@h0
0
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC@hdf12
0x5A 0x1A 0x1C 0x7E ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000001
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000001@a0
0x20 0x01 0x00 0x00 ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12
0x45 0x70 0x7B 0xAE ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12
0x14 0x9F 0xBC 0x82 ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002@a0
0x20 0x01 0x00 0x00 ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12
0xCF 0x8E 0x65 0x8D ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12
0x2D 0x24 0x9F 0x3E ...
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg
HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919E
A49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12
0xD6 0x87 0x0E 0x94 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@u0
0x38 0x0F 0x98 0x02 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@p0
C:\Program Files\DAEMON Tools Pro\
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@h0
0
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC@hdf12
0x5A 0x1A 0x1C 0x7E ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000001 (not active
ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000001@a0
0x20 0x01 0x00 0x00 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000001@hdf12
0x45 0x70 0x7B 0xAE ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active
ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12
0x14 0x9F 0xBC 0x82 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002 (not active
ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002@a0
0x20 0x01 0x00 0x00 ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002@hdf12
0xCF 0x8E 0x65 0x8D ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active
ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12
0x2D 0x24 0x9F 0x3E ...
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active
ControlSet)
Reg
HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49
A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12
0xD6 0x87 0x0E 0x94 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys
suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#12
December 6, 2009 at 15:31:46

My computer's antivirus systems are starting to go buggy. They
all crashed a few minutes ago and I'm finding corruptions and
problems with Google Chrome (such as when I click on a tab to
go to it it closes the tab instead of going there). When I try to
click the start menu all the icons freeze up and I have to
control+alt+delete to get them working again. I'm getting scared
that I might have to reinstall windows onto my computer, and I
really hope I won't have to. I have a lot of important files on here
that I'd like to keep. :(

Report •

#13
December 6, 2009 at 16:29:16

I see the rootkit that is causing most of the problem but I can't tell you if the computer is going to fail when we try to remove it. Can you copy those important files to a cd or usb drive?

Then do the following scan the first two may stablize your system depending on how it was infected.

You may need to download the to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Press the windows key and R key at the same time to get to the run command. Type in ComboFix /Uninstall (note the space after ComboFix is needed)> click ok. Give it 2 or 3 minutes to uninstall.

Downoload ComboFix from Internet explorer instead of a third party browser if possible.Remember..your antivirus and any realtime anti-spyware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled and help you determine if you have one that needs to be disabled..


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#14
December 6, 2009 at 17:35:09

ComboFix 09-12-06.09 - Garrett 12/06/2009 20:17.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.1004 [GMT -5:00]
Running from: c:\users\Garrett\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\users\Garrett\AppData\Local\Microsoft\Windows\Temporary Internet Files\udRemove.exe
c:\windows\system32\__c00D1757.dat
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\mt_32.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wiNLoad.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-07 01:27 . 2009-12-07 01:30 4096 d-----w- c:\users\Garrett\AppData\Local\temp
2009-12-07 01:27 . 2009-12-07 01:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-06 22:56 . 2009-12-06 22:56 17408 ----a-w- c:\windows\system32\winsec.dll
2009-12-06 22:55 . 2009-12-06 22:55 51712 ----a-w- C:\dens.exe
2009-12-06 22:55 . 2009-12-06 22:55 30206 ----a-w- C:\siuhb.exe
2009-12-06 00:25 . 2009-12-07 01:29 4096 d-----w- c:\program files\iCall
2009-12-06 00:03 . 2009-12-06 00:03 -------- d-----w- c:\program files\Trend Micro
2009-12-05 18:33 . 2009-12-05 18:33 117760 ----a-w-
c:\users\Garrett\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-05 18:31 . 2009-12-05 18:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-05 18:31 . 2009-12-05 18:31 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-12-05 18:31 . 2009-12-05 18:31 -------- d-----w- c:\users\Garrett\AppData\Roaming\SUPERAntiSpyware.com
2009-12-05 17:32 . 2009-12-05 16:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-05 16:33 . 2009-12-05 16:33 -------- dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-05 16:33 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-
1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-05 16:33 . 2009-12-05 16:33 -------- d-----w- c:\program files\Lavasoft
2009-12-05 16:33 . 2009-12-05 16:35 -------- d-----w- c:\programdata\Lavasoft
2009-12-04 23:14 . 2009-12-04 23:14 737280 ----a-w- c:\windows\iun6002.exe
2009-12-04 23:13 . 2009-12-05 21:00 19 ----a-w- c:\windows\popcinfo.dat
2009-12-04 23:13 . 2009-12-04 23:13 -------- d-----w- c:\program files\PopCap Games
2009-11-25 03:00 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-21 20:42 . 2009-11-21 20:42 -------- d-----w- c:\programdata\BioWare
2009-11-21 01:45 . 2009-11-21 01:45 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2009-11-21 01:45 . 2009-11-21 01:45 -------- d-----w- c:\programdata\Media Center Programs
2009-11-21 01:32 . 2009-11-21 01:45 -------- d-----w- c:\program files\Common Files\BioWare
2009-11-21 01:32 . 2009-11-21 01:40 4096 d-----w- c:\program files\Dragon Age
2009-11-21 01:03 . 2009-11-21 01:03 2338816 ----a-w- c:\users\Garrett\AppData\Roaming\Folding@home-
x86\FahCore_78.exe
2009-11-20 02:47 . 2009-11-20 02:47 -------- d-----w- c:\users\Garrett\AppData\Local\Mozilla
2009-11-20 02:38 . 2009-11-20 02:38 -------- d-----w- c:\users\Garrett\AppData\Roaming\Apowersoft
2009-11-20 02:38 . 2009-11-20 02:38 -------- d-----w- c:\program files\Apowersoft
2009-11-20 02:23 . 2009-11-21 01:04 -------- d-----w- c:\users\Garrett\AppData\Roaming\Folding@home-x86
2009-11-20 02:23 . 2009-11-20 02:23 98477 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-
BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-11-20 02:23 . 2009-11-20 02:23 98477 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-
BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-11-20 02:23 . 2009-11-20 02:23 10134 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-
BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-11-20 02:23 . 2009-11-20 02:23 -------- d-----w- c:\program files\Folding@home
2009-11-19 01:58 . 2009-11-19 01:58 -------- d-----w- c:\users\Garrett\AppData\Roaming\GrabPro
2009-11-19 01:58 . 2009-12-06 20:55 -------- d-----w- c:\users\Garrett\AppData\Roaming\Orbit
2009-11-19 01:58 . 2009-11-19 01:58 -------- d-----w- c:\program files\Orbitdownloader
2009-11-19 01:47 . 2009-12-06 20:55 -------- d-----w- C:\downloads
2009-11-19 01:47 . 2009-11-19 01:47 -------- d-----w- c:\users\Garrett\AppData\Roaming\FVZilla
2009-11-19 01:47 . 2009-11-19 01:52 -------- d-----w- c:\program files\Free Video Zilla
2009-11-15 21:36 . 2009-11-30 03:06 -------- d-----w- c:\users\Garrett\AppData\Roaming\vlc
2009-11-15 13:47 . 2009-11-15 13:47 -------- d-----w- c:\program files\SpeedFan
2009-11-15 03:41 . 2009-11-18 02:43 -------- d-----w- c:\program files\EVGA Precision
2009-11-14 01:32 . 2009-11-14 01:32 -------- d-----w- c:\program files\Activision
2009-11-10 00:29 . 2009-11-10 00:30 -------- d-----w- c:\program files\PFConfig
2009-11-09 23:55 . 2009-11-11 01:20 -------- d-----w- c:\users\Garrett\AppData\Local\LogMeIn Hamachi
2009-11-09 23:54 . 2009-09-23 14:41 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-09 23:54 . 2009-11-09 23:54 4096 d-----w- c:\program files\LogMeIn Hamachi
2009-11-08 19:49 . 2009-11-27 00:29 -------- d-----w- c:\program files\Common Files\Steam
2009-11-08 19:49 . 2009-12-07 01:29 8192 d-----w- c:\program files\Steam
2009-11-08 03:08 . 2009-11-08 03:18 -------- d-----w- c:\users\Garrett\AppData\Local\Adobe
2009-11-08 03:07 . 2009-11-08 03:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-07 22:21 . 2009-11-07 22:21 -------- d-----w- c:\program files\VideoLAN
2009-11-07 13:53 . 2009-11-07 13:53 -------- d-sh--w- c:\programdata\SecuROM
2009-11-07 13:41 . 2009-11-07 13:41 -------- d-----w- c:\program files\2K Games
2009-11-07 13:41 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-11-07 13:41 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-11-07 13:39 . 2009-11-07 13:39 -------- d-----w- c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
2009-11-07 03:11 . 2009-11-07 03:14 4096 d-----w- c:\program files\DAEMON Tools Pro
2009-11-07 03:11 . 2009-11-07 03:11 -------- d-----w- c:\programdata\DAEMON Tools Pro
2009-11-07 03:06 . 2009-11-07 03:06 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-07 03:05 . 2009-11-07 13:38 -------- d-----w- c:\users\Garrett\AppData\Roaming\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 01:30 . 2009-11-05 02:09 12288 d-----w- c:\users\Garrett\AppData\Roaming\uTorrent
2009-12-05 18:30 . 2009-11-02 22:42 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 21:34 . 2009-11-05 00:47 4096 d-----w- c:\program files\McAfee
2009-12-01 21:18 . 2009-11-04 22:35 4096 d-----w- c:\programdata\McAfee
2009-11-30 03:22 . 2009-11-06 03:42 4096 d-----w- c:\users\Garrett\AppData\Roaming\Any Video Converter
2009-11-20 01:57 . 2009-11-05 23:16 4096 d-----w- c:\users\Garrett\AppData\Roaming\mIRC
2009-11-06 04:11 . 2009-11-06 04:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-06 03:59 . 2009-11-02 21:50 76640 ----a-w- c:\users\Garrett\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-06 03:42 . 2009-11-06 03:42 4096 d-----w- c:\program files\Any Video Converter
2009-11-05 23:52 . 2009-11-05 23:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 23:52 . 2009-11-05 23:52 -------- d-----w- c:\program files\Java
2009-11-05 23:16 . 2009-11-05 23:16 4096 d-----w- c:\program files\mIRC
2009-11-05 02:09 . 2009-11-05 02:09 -------- d-----w- c:\program files\uTorrent
2009-11-05 00:49 . 2009-11-05 00:49 -------- d-----w- c:\programdata\SiteAdvisor
2009-11-05 00:47 . 2009-11-05 00:47 4096 d-----w- c:\program files\Common Files\McAfee
2009-11-05 00:47 . 2009-11-05 00:47 -------- d-----w- c:\program files\McAfee.com
2009-11-04 22:48 . 2009-11-04 22:47 4096 d-----w- c:\programdata\MakeMusic
2009-11-04 22:47 . 2009-11-04 22:47 4096 d-----w- c:\program files\SmartMusic 2010
2009-11-04 00:09 . 2009-11-02 22:42 -------- d-----w- c:\programdata\NVIDIA
2009-11-03 01:01 . 2009-11-03 01:01 -------- d-----w- c:\users\Garrett\AppData\Roaming\My Games
2009-11-03 00:33 . 2009-11-02 19:38 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 00:33 . 2009-11-03 00:33 -------- d-----w- c:\program files\Firaxis Games
2009-11-03 00:32 . 2009-11-03 00:32 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-02 22:43 . 2009-11-02 22:43 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-02 22:42 . 2009-11-02 22:42 8192 d-----w- c:\program files\AGEIA Technologies
2009-11-02 22:26 . 2009-11-02 22:13 4096 d-----w- c:\users\Garrett\AppData\Roaming\ICAClient
2009-11-02 22:10 . 2009-11-02 22:10 38480 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-
1519701644F0}\Icon80951CEC.exe.C76E2E86_AE54_4AF5_997C_63EBB83C7651.exe
2009-11-02 22:10 . 2009-11-02 22:10 38480 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-
1519701644F0}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
2009-11-02 22:10 . 2009-11-02 22:10 38480 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-
1519701644F0}\ARPICON.80486C74_ABED_4227_AF5C_9B1791CFA89C.exe
2009-11-02 22:10 . 2009-11-02 22:10 26192 ----a-r-
c:\users\Garrett\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-
1519701644F0}\Iconlights.ico.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe
2009-11-02 21:50 . 2009-11-02 21:50 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-02 21:50 . 2009-11-02 21:48 8192 d-----w- c:\programdata\Microsoft Help
2009-11-02 21:49 . 2009-11-02 21:49 4096 d-----w- c:\program files\Microsoft Works
2009-11-02 21:49 . 2009-11-02 21:49 -------- d-----w- c:\program files\Microsoft.NET
2009-11-02 21:38 . 2009-11-02 21:38 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-02 19:38 . 2009-11-02 19:38 -------- d-----w- c:\program files\AMD
2009-11-02 19:38 . 2009-11-02 19:38 -------- d-----w- c:\users\Garrett\AppData\Roaming\InstallShield
2009-10-02 04:06 . 2009-11-04 00:14 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-10-01 14:29 . 2009-11-02 19:21 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-23 15:41 . 2009-09-23 15:41 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-09-23 12:55 . 2009-12-05 16:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-16 15:22 . 2009-11-05 00:47 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-11-05 00:47 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-11-05 00:47 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-11-05 00:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-10 05:52 . 2009-11-04 02:32 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-
app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe


Report •

#15
December 6, 2009 at 17:35:36

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"Google
Update"="c:\users\Garrett\AppData\Local\Google\Update\Goo
gleUpdate.exe" [2009-11-02 133104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe"
[2009-07-14 1173504]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-
01 289584]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON
Tools Pro\DTProAgent.exe" [2009-08-05 224712]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-08
1217808]
"SUPERAntiSpyware"="c:\program
files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-
23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-
01 13781536]
"mcagent_exe"="c:\program
files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-
08 1176808]
"SunJavaUpdateSched"="c:\program
files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"Adobe Reader Speed Launcher"="c:\program
files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03
35696]
"Adobe ARM"="c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iCall Internet Phone"="c:\program files\iCall\iCall.exe" [2008-
12-18 1587576]

c:\users\Garrett\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program
files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26
98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curren
tversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversi
on\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=
"c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-
05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program
files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\MCODS]
@="Service"

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/5/2009
11:35 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program
files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM
9968]
R1 SASKUTIL;SASKUTIL;c:\program
files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43
AM 74480]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling
Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe
[10/29/2009 12:27 PM 1074568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor
Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe
[12/1/2009 4:18 PM 93320]
R3 NVHDA;Service for NVIDIA High Definition Audio
Driver;c:\windows\System32\drivers\nvhda32v.sys [4/30/2009
9:43 PM 64032]
R3 SASENUM;SASENUM;c:\program
files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43
AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
[9/24/2009 6:17 AM 1184912]
S3 DAUpdaterSvc;Dragon Age: Origins - Content
Updater;c:\program files\Dragon
Age\bin_ship\daupdatersvc.service.exe [11/20/2009 8:40 PM
25832]
S3 RTCore32;RTCore32;c:\program files\EVGA
Precision\RTCore32.sys [5/25/2005 1:39 PM 4608]
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program
files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program
files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program
files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program
files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} -
hxxp://srtest-
cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sys
reqlabdetect.cab
FF - ProfilePath -
c:\users\Garrett\AppData\Roaming\Mozilla\Firefox\Profiles\mu
8cqw5i.default\
FF - component: c:\program
files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin:
c:\users\Garrett\AppData\Local\Google\Update\1.2.183.13\np
GoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Windows ALT Services - c:\windows\winmgr.exe
HKLM-Run-c:\program files\Free Video Zilla\FVZilla.exe - (no
file)
AddRemove-Ad-Aware - c:\programdata\{CFBD8779-FAAB-
4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
REMOVE=TRUE MODIFY=FALSE
AddRemove-mIRC - c:\program files\mIRC\uninstall.exe _?
=c:\program files\mIRC
AddRemove-NVIDIA Drivers -
c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-Steam App 440 - c:\program
files\Steam\steam.exe steam://uninstall/440
AddRemove-Steam App 550 - c:\program
files\Steam\steam.exe steam://uninstall/550


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\P
CW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes --------
-------------

- - - - - - - > 'Explorer.exe'(5196)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\taskhost.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\sppsvc.exe
c:\windows\System32\rundll32.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\conhost.exe
c:\users\Garrett\AppData\Local\Google\Update\1.2.183.13\Go
ogleCrashHandler.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
.
***********************************************************************
***
.
Completion time: 2009-12-06 20:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 01:33

Pre-Run: 526,369,669,120 bytes free
Post-Run: 526,250,369,024 bytes free

- - End Of File - - 0FB8B8269B3E78DFA790BA19DEB2F95D


Report •

#16
December 6, 2009 at 17:36:52

exeHelper by Raktor
Build 20091204
Run at 20:08:08 on 12/06/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\calc.dll
Checking for bad registry entries...
Removing
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c
alc
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

The first logs I posted was the ComboFix log, and this on is
the exeHelper log. I'm not sure if everything is back to normal,
so I'll report any strange activity to you if I see anything.
Thanks for the continued support!


Report •

#17
December 6, 2009 at 17:48:22

Open notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\winsec.dll
C:\dens.exe
C:\siuhb.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Report •

#18
December 6, 2009 at 18:19:27

I did as requested and my computer went through another scan,
except this time it didn't last as long. When I came back to my
computer I had a message saying my computer had recovered
from an unexpected shutdown, and said it was a bluescreen. Is
that normal? I didn't get a log this time either to post.

Report •

#19
December 6, 2009 at 18:27:36

Alright I'm seriously getting worried now. I clicked on a link from
Google and it redirected me to another website, even after all of
these scans and work to alleviate this problem.

Report •

#20
December 8, 2009 at 14:58:59

Is anyone still there? I really need help in solving this. Thanks.

Report •

#21
December 8, 2009 at 16:27:59

Some of us actually work for a living, we do this for free.

Part of the problem is that your antivirus is not disabled when you ran the scans, note the bolded text from your ComboFix scan

ComboFix 09-12-06.09 - Garrett 12/06/2009 20:17.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.1004 [GMT -5:00]
Running from: c:\users\Garrett\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Resident AV is active

Them note the paragraph proir to the request for the ComboFix log.

Downoload ComboFix from Internet explorer instead of a third party browser if possible.Remember..your antivirus and any realtime anti-spyware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled and help you determine if you have one that needs to be disabled..

That is the perfect way to toast the computer.


Report •

#22
January 9, 2010 at 06:03:39

I've just spent over an hour reading the ENTIRE post. I've decided the person who wrote this hijack deserves to be chief programmer for MS, Google and/or every other software developer. Either he is a flat out genius, or all the contributors know as much about software as my thirteen year old cat!

And it is not just the "professionals" here either. Not ONE Company, with their millions if not BILLIONS of dollars in resources have made any more progress then the amateurs here.

This guy must be rolling on the floor watching the keystone cops TRY and amend something he probably designed during a boring lecture.


Report •


Ask Question