google redirect websites

Dell / INSPIRON 530S
December 14, 2009 at 13:33:09
Specs: Microsoft Windows XP Home Edition, 2.394 GHz / 1013 MB
Hi - I have seen many posts on this but from what I have read, it sounds like this can be a problem unique to each computer. I have tried all the fixes that i felt comfortable doing.... Malwarebytes, super-anti spyware, spybot and others and nothing has worked. It all started after i got this security tool virus which caused me to get the blue screen of death. Somehow I was able to boot normally and get the security tool off; booting in safe mode did not work and still does not. This thing ended up removing my desktop background and who knows what else. After removing security tool, the problem I am having now is that every time I search with google and click a link, I am re-directed to an ad website (always random). As far as the blue screen is concerned, it refeers to shutting down due to new hardware or software being changed or installed - I can get the error # if needed. Any help is appreciated...

I have a hijack this log as well as numerous other logs i can attach if needed


See More: google redirect websites

Report •


#1
December 14, 2009 at 19:34:35
Delete the logs you have, the newer the better.

Do not restart the computer until you run these scans please.

You may need to download the to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 14, 2009 at 22:22:57
exeHelper by Raktor
Build 20091204
Run at 22:54:47 on 12/14/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Report •

#3
December 14, 2009 at 22:23:54
info.txt logfile of random's system information tool 1.06 2009-12-14 23:13:10

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell DataSafe Online-->MsiExec.exe /I{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
ffdshow [rev 2019] [2008-06-22]-->"C:\Program Files\ffdshow\unins000.exe"
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Internet Service Offers Launcher-->MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch for Windows Media Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E93E5EF6-D361-481E-849D-F16EF5C78EBC}\setup.exe" -l0x9 remove
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\Documents and Settings\All Users\Application Data\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shareaza version 2.2.3.0-->"C:\Program Files\Shareaza\Uninstall\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TestDrive Client-->MsiExec.exe /X{36C9E08A-BE2B-40A0-83C5-576748F7B777}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows PowerShell(TM) 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~2.DLL
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: McAfee VirusScan (disabled) (outdated)
FW: McAfee Personal Firewall (disabled)

======System event log======

Computer Name: BOOYA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8090
Source Name: Tcpip
Time Written: 20091005190424.000000-300
Event Type: warning
User:

Computer Name: BOOYA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8074
Source Name: Tcpip
Time Written: 20091005183330.000000-300
Event Type: warning
User:

Computer Name: BOOYA
Event Code: 1002
Message: The IP address lease 192.168.1.64 for the Network Card with network address 001D099DD713 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 8071
Source Name: Dhcp
Time Written: 20091005182643.000000-300
Event Type: error
User:

Computer Name: BOOYA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8049
Source Name: Tcpip
Time Written: 20091004235859.000000-300
Event Type: warning
User:

Computer Name: BOOYA
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8048
Source Name: Tcpip
Time Written: 20091002182701.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: BOOYA
Event Code: 32068
Message: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Record Number: 1891
Source Name: Microsoft Fax
Time Written: 20090112192846.000000-360
Event Type: warning
User:

Computer Name: BOOYA
Event Code: 32026
Message: Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Record Number: 1890
Source Name: Microsoft Fax
Time Written: 20090112192846.000000-360
Event Type: warning
User:

Record Number: 1886
Source Name: Application Error
Time Written: 20090112083205.000000-360
Event Type: error
User:

Computer Name: BOOYA
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16762, faulting module mshtml.dll, version 7.0.6000.16788, fault address 0x0019a06d.

Record Number: 1885
Source Name: Application Error
Time Written: 20090111162425.000000-360
Event Type: error
User:

Record Number: 1883
Source Name: Application Error
Time Written: 20090109175400.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\

-----------------EOF-----------------


Report •

Related Solutions

#4
December 14, 2009 at 22:24:43
Logfile of random's system information tool 1.06 (written by random/random)
Run by Jeff at 2009-12-14 23:13:06
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 23 GB (5%) free of 474 GB
Total RAM: 1013 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:10 PM, on 12/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeff\Desktop\RSIT.exe
C:\Program Files\trend micro\Jeff.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/res...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/D...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7180 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-06-21 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2008-06-21 325048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-06-21 2549368]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-07-16 142104]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-07-16 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-07-16 138008]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-07-16 16132608]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-07-26 3883856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-07-16 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\byXPIaYO

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe"="C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe:*:Enabled:Shareaza"
"C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\DOCUME~1\Jeff\LOCALS~1\Temp\4_pinnew.exe"="C:\DOCUME~1\Jeff\LOCALS~1\Temp\4_pinnew.exe:*:Enabled:Enabled"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06c5c24f-2967-11de-92e0-001d099dd713}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-12-14 23:13:06 ----D---- C:\rsit
2009-12-14 11:33:58 ----A---- C:\RootRepeal report 12-14-09 (11-33-58).txt
2009-12-14 10:21:47 ----D---- C:\Program Files\Panda Security
2009-12-14 03:10:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-13 22:40:09 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-13 18:23:45 ----D---- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2009-12-13 18:23:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-13 18:23:25 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-13 16:14:45 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-09 03:03:36 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 03:03:30 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 03:03:04 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 03:02:58 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 03:02:51 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-11-30 13:43:09 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-11-30 07:33:54 ----D---- C:\WINDOWS\system32\XPSViewer
2009-11-30 07:33:51 ----D---- C:\Program Files\MSBuild
2009-11-30 07:33:44 ----D---- C:\Program Files\Reference Assemblies
2009-11-30 07:33:18 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-11-30 07:33:17 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-11-30 07:33:17 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-11-30 07:33:17 ----D---- C:\61ed5f07a59c9afecbb9
2009-11-30 07:33:04 ----D---- C:\WINDOWS\SxsCaPendDel
2009-11-29 18:09:47 ----D---- C:\Documents and Settings\Jeff\Application Data\ElevatedDiagnostics
2009-11-29 18:09:22 ----A---- C:\WINDOWS\imsins.BAK
2009-11-29 18:09:04 ----D---- C:\WINDOWS\system32\windowspowershell
2009-11-29 18:08:55 ----HDC---- C:\WINDOWS\$NtUninstallKB926139-v2$
2009-11-29 18:05:35 ----D---- C:\Program Files\Microsoft ATS
2009-11-26 03:01:11 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-26 03:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

======List of files/folders modified in the last 1 months======

2009-12-14 23:13:07 ----D---- C:\Program Files\Trend Micro
2009-12-14 23:12:10 ----D---- C:\WINDOWS\Temp
2009-12-14 23:00:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-14 22:57:25 ----D---- C:\WINDOWS\Prefetch
2009-12-14 15:46:06 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-14 14:54:06 ----D---- C:\MDT
2009-12-14 14:53:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-14 13:26:40 ----D---- C:\WINDOWS
2009-12-14 11:25:56 ----D---- C:\WINDOWS\system32\drivers
2009-12-14 10:21:47 ----RD---- C:\Program Files
2009-12-14 10:21:47 ----HD---- C:\WINDOWS\inf
2009-12-14 10:19:36 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-14 09:21:45 ----D---- C:\Program Files\Common Files
2009-12-14 03:11:15 ----SHD---- C:\WINDOWS\Installer
2009-12-14 03:11:14 ----D---- C:\WINDOWS\WinSxS
2009-12-14 03:11:12 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-13 22:47:17 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-13 22:47:12 ----D---- C:\Documents and Settings\Jeff\Application Data\SUPERAntiSpyware.com
2009-12-13 20:18:51 ----RASH---- C:\boot.ini
2009-12-13 20:18:51 ----A---- C:\WINDOWS\win.ini
2009-12-13 20:18:51 ----A---- C:\WINDOWS\system.ini
2009-12-13 19:09:20 ----D---- C:\WINDOWS\system32
2009-12-13 19:09:19 ----D---- C:\WINDOWS\Config
2009-12-13 19:07:25 ----SD---- C:\WINDOWS\Tasks
2009-12-13 18:22:01 ----AC---- C:\WINDOWS\wininit.ini
2009-12-13 17:07:04 ----D---- C:\WINDOWS\pss
2009-12-13 16:49:51 ----SHD---- C:\WINDOWS\system32\dllcache
2009-12-09 03:24:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-09 03:03:23 ----D---- C:\Program Files\Internet Explorer
2009-12-09 03:03:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 03:00:22 ----D---- C:\WINDOWS\Debug
2009-12-01 14:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-30 18:53:33 ----D---- C:\Documents and Settings\All Users\Application Data\Dell
2009-11-30 14:14:26 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-30 14:14:22 ----RSD---- C:\WINDOWS\assembly
2009-11-30 13:43:24 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-30 07:33:52 ----D---- C:\WINDOWS\system32\en-US
2009-11-30 07:33:48 ----RSD---- C:\WINDOWS\Fonts
2009-11-30 07:33:28 ----D---- C:\WINDOWS\system32\spool
2009-11-29 18:11:51 ----D---- C:\WINDOWS\AppPatch
2009-11-29 18:09:12 ----D---- C:\WINDOWS\system32\config
2009-11-29 17:29:55 ----D---- C:\WINDOWS\system32\wbem
2009-11-29 17:29:55 ----D---- C:\WINDOWS\Registration
2009-11-18 17:51:43 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-07-19 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-07-16 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-07-16 4403712]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-24 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-12-11 358224]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-14 201968]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-15 38912]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2008-06-14 16680]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-21 138168]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-12-02 74384]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Report •

#5
December 14, 2009 at 22:28:56
GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-15 00:16:14
Windows 5.1.2600 Service Pack 3
Running: v4033qop.exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\uxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA73FA0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA733D9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA733DA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA733D958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA733D96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA733DA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA733DA81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA733DAEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA733DAD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA733D9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA733DB1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA733DA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA733D930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA733D944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA733D9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA733DB57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA733DAC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA733DAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA733DA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA733DB43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA733DB2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA733D996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA733D982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA733DA97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA733DA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA733DB05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA733DA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA733D9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A733D9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A733D9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A733D9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A733DA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A733D9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A733D934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A733D948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A733D986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A733D970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A733D95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A733D99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A733DA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A733DAB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A733DA9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A733DB09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A733DAC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A733DA6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A733DA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A733DA59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A733DA85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A733DAF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A733DADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A733DA31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A733DB5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A733DB33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A733DB47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey


Report •

#6
December 14, 2009 at 22:31:10
---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10058
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10F6F
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10075
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F2D
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F08
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D100A1
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10EED
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10F94
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F3E
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[648] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10090
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680FD4
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00680F6F
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680025
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680014
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00680036
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00680F94
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 88]
.text C:\WINDOWS\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680FAF
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00670FA8
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!system 77C293C7 5 Bytes JMP 0067003D
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FDE
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0067000C
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FCD
.text C:\WINDOWS\system32\svchost.exe[648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[648] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[648] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[648] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[648] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00650F9E
.text C:\WINDOWS\system32\svchost.exe[648] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01420000
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01420076
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01420F81
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01420F92
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01420FAF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01420036
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01420F52
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014200A4
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014200C9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01420F30
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014200DA
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01420051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01420FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01420087
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01420FCA
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01420011
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01420F41
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F68
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F9C
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FB7
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[752] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0114000A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01140F6F
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01140F80
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01140F9B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01140FAC
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0114003D
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01140F4D
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01140095
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01140F28
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011400B7
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011400D2
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01140058
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01140F5E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0114002C
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0114001B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011400A6
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01130051
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01130FDB
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01130036
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01130025
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01130098
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0113000A
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0113007D
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0113006C
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01120FC1
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 01120FD2
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01120FE3
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01120042
.text C:\WINDOWS\system32\lsass.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0112001D
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[764] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026C0FEF
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026C0F68
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026C005D
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026C0F79
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026C0036
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026C0FA5
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026C0F4D
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026C0095
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026C00F0
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026C00D5
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026C0101
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026C0F94
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026C0FDE
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026C0078
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026C001B
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026C000A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026C00BA
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0262001B
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02620F8A
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02620FCA
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02620FE5
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02620FA5
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02620000
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02620051
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02620036
.text C:\WINDOWS\system32\svchost.exe[936] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02610F92
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 02610FAD
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02610FE3
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0261000C
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02610FC8
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0261001D
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 025F0014
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 025F0025
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 025F0040
.text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02600FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010F0000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010F0098
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010F007D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010F006C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010F0FAF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010F0FC0
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010F00C9
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010F0F81
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010F0F41
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010F00DA
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010F0F30
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010F0051
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010F001B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010F0F92
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010F002C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010F0FDB
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010F0F66
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010E002C
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010E0047
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010E0011
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010E0F8A
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010E0FA5
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2E, 89]
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010E0FC0
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010D0036
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 010D0FAB
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010D0FC6
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010D001B
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010D0000
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1016] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03680FE5
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03680F5E
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03680053
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03680036
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03680F79
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0368001B
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 036800A6
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03680095
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 036800D2
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 036800C1
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03680F14
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03680F94
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03680000
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03680078
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03680FAF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03680FCA
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03680F43
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03670011
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03670F68
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03670FC0
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03670000
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03670F83
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03670FE5
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03670F94
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [87, 8B]
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03670FA5
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03660FAD
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 03660FC8
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03660FD9
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03660000
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0366002E
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0366001D
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03640FEF
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03640014
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03640FDE
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0364002F
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03650FEF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F5E
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0F79
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0F8A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F30
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0F4D


Report •

#7
December 14, 2009 at 22:32:45
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00BF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00AE
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F01
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0078
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA0093
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90FCA
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F72
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A9001B
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90F9E
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FAF
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FA3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FBE
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8001D
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A8000C
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8002E
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80FE3
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A60FD4
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A6002F
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C170 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1F0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01130F80
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01130075
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01130F9B
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01130058
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01130FD1
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011300A6
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01130F5E
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011300E6
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01130F4D
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01130F28
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01130FC0
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01130011
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01130F6F
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0113003D
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0113002C
.text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011300C1
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01120FA8
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01120F68
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01120FB9
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01120FD4
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0112001B
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01120FEF
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01120F83
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [32, 89]
.text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0112000A
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01110F81
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 01110016
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01110FC1
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01110FA6
.text C:\WINDOWS\system32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01110FDE
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 010F000A
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 010F001B
.text C:\WINDOWS\system32\svchost.exe[1324] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 010F0036
.text C:\WINDOWS\system32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01100FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D004F
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F75
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F86
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FA8
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0085
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F33
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0EFD
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F18
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D00B1
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F97
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D000A
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D006A
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0096
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C005A
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FCF
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C002E
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C003F
.text C:\WINDOWS\system32\wuauclt.exe[2660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0011
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F8A
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D000A
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0047
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D0036
.text C:\WINDOWS\system32\wuauclt.exe[2660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0025
.text C:\WINDOWS\system32\wuauclt.exe[2660] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\wuauclt.exe[2660] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\wuauclt.exe[2660] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00990FC0
.text C:\WINDOWS\system32\wuauclt.exe[2660] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00990FA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2856] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C005D
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C004C
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F72
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F83
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F57
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0093
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F32
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00CB
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C00E6
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F94
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0011
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0082
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FC0
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FDB
.text C:\WINDOWS\explorer.exe[2896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00BA
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F57
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0014
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F7C
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\explorer.exe[2896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0053
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FC8
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C001D
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0038
.text C:\WINDOWS\explorer.exe[2896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\explorer.exe[2896] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\explorer.exe[2896] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E000A
.text C:\WINDOWS\explorer.exe[2896] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\explorer.exe[2896] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0FB9
.text C:\WINDOWS\explorer.exe[2896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 9AF8AD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 870FB618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


That should be it


Report •

#8
December 15, 2009 at 18:24:11
1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#9
December 16, 2009 at 20:09:27
jabuck,

I need some time to respond with the log - I ran into some issues and am still trying to fix the good ol blue screen of death problem; still can't get the thing to boot. Hopefully I can salvage it soon and get windows to load.


Report •

#10
December 16, 2009 at 20:14:53
Try to boot into safe mode with networking. Use only the F8 method to get into safe mode as any other method may lock you out of safe mode.

To do that turn off the computer wait 30 seconds> restart the computer and tap F8 as it starts> you should get an option screen choose safe mode w/ networking.


Report •

#11
December 16, 2009 at 20:23:23
it will not even boot in safe mode or any mode - im running chkdsk /r and praying as we speak - will let you know how it goes..... 57% and counting

Report •

#12
December 16, 2009 at 20:49:02
Sounds like you are running from your xp cd.

If it does not boot you will most likely need to do a repair install.


Report •

#13
December 16, 2009 at 21:01:30
i am - still running. In fact, I did a repair restall already and no re-boot, then figured out the chkdsk thing - if it still doesn't work, I am going to need some advice..... 58%...

damn all ye virus makers!


Report •

#14
December 17, 2009 at 06:58:31
still bsod - any suggestions? fxmbr maybe?

Report •

#15
December 17, 2009 at 08:06:54
I would run sfc /scannow first.

What were you doing when you first got the blue screen and when you try booting into safe mode do you get the option screen, if you do get the option select "disable automatic restart on system failure" if it will allow you to do so then restart. If it gives you the "stop" numbers post them please.


Report •

#16
December 17, 2009 at 09:13:43
I will try the sfc /scannow. I have disabled the automatic restart already and it didn't work. I first got the blue screen when I got the initial virus - after this I was able to get back into windows and start cleaning with the various anti/spyware/virus programs out there. The new blue screen error I have started after I ran tdskiller, rebooted and another spyware program i had loaded on startup, saying I had a very bad and infected file that needed to be removed. I removed the file, it autoatically re-booted and boom, BSOD again. The stop number is.. 0x0000007B - do you need the other numbers that come after?

Report •

#17
December 17, 2009 at 11:11:27
OK - got a little do dad to plug the infected harddrive to my old pc and transferring all my important data to an external drive. Gonna take a while but I should have my data only backed up in case I have to re-install xp - when the backup is done, I will hook back up the infected harddrive and run scannow and post the results.

thanks


Report •

#18
December 17, 2009 at 12:09:07
The file you removed is the problem of course and sfc /scannow should reinstall it and will ask for the xp cd to extract the missing file. Was it this file?

C:\WINDOWS\system32\drivers\atapi.sys

The last group of numbers on the stop screen actually tell you where the problem is. I think we already know.


Report •

#19
December 17, 2009 at 12:47:21
that file does look familiar - why would the program consider this file bad and suggest I remove it? Just to be clear, I need to run scannow from the repair option from the boot disk - same place i ran chkdsk right?

After this is all done, will I need to continue the virus removal steps I started? or will all of what i have done clean my system out enough?

Thanks for all your help on this


Report •

#20
December 17, 2009 at 12:58:45
The new blue screen error I have started after I ran tdskiller, rebooted and another spyware program i had loaded on startup, saying I had a very bad and infected file that needed to be removed. I removed the file, it autoatically re-booted and boom, BSOD again.

Usually when someone is helping you remove baddies it is best not do anything to the computer without at least getting their imput. The file was infected but would allow the computer to run as most infections do, the trick is to either clean the file or replace it without rebooting as ...well you see the results.

I will be in and out today, let me know if you need help.


Report •

#21
December 18, 2009 at 07:14:57
Jabuck,

Thanks for all your help on this... I have decided to start a new and re-install xp to make sure everything is fresh. I was able to retreive all my crucial data and in the end this may have worked out for the best since I get a nice fresh computer out of it.


Report •

#22
December 19, 2009 at 16:56:23
Thanks for the update, glad you got the computer up and running.

Report •


Ask Question