Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unwanted IE windows

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Unwanted IE windows

Unread postby chryssi2001 » January 5th, 2009, 8:37 am

Hello trags,

Generic!Artemis Cannot be repaired

This was a False positive from McAfee, and it was fixed in November updates.
McAfee was detecting mbam as a trojan.
You must have missed some McAfee updates, update your McAfee please.

Have a read about it here.
If you still have problem when running mbam after updating your McAfee, you can post at McAfee forums, or email to them.

According to the control panel, "Java(TM) 6 Update 11" is installed. The text of this entry doesn't match the name that you specified (and I would have expected the text to appear as you specified, "Java SE Runtime Environment (JRE) 6 Update 11"). However the path is C:\Program Files\Java\jre6\. Should I re-install this update?

Java(TM) 6 update 11, is the latest version, so you need to do nothing.
If any older versions in your Add/Remove programs just remove those.
----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete the following:

C:\Documents and Settings\Noelle Rogers\My Documents\BearShareV6.exe
C:\Documents and Settings\Noelle Rogers\My Documents\bsplayer138.828.exe
C:\WINDOWS\system32\mozulavo.dll.tmp
C:\WINDOWS\system32\tomatofi.dll.tmp

Empty your Recycle-bin.
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader, you can download Foxit PDF Reader from here.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.)
----------------------------------------------
Any other problems?
Is the pc still running ok?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: Unwanted IE windows

Unread postby trags » January 8th, 2009, 9:00 am

Hello chryssi2001,
I have verified that the McAfee DAT file is current (5488.0000 dated 07Jan2009). I still get the pop-up about Generic!Artemis when I run MBAM.

- Older JRE versions have been de-installed.
- Acrobat Reader updated.
- Files (4) removed manually in Explorer.

MBAM reported one instance of Malware. Here's the report:

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

1/8/2009 7:57:27 AM
mbam-log-2009-01-08 (07-57-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138779
Time elapsed: 56 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I guess I still need to contact McAfee.
The computer is running quite well.

Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 8th, 2009, 11:29 am

Please remove any items in your McAfee quarantee folder.

Re-run Malwarebytes' Anti-Malware and click on remove selected, and post back the new report.

Did you remove that junk folder? Please also empty your recycle bin.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 12th, 2009, 1:44 pm

Hello chryssi2001,
I'm sorry this has taken so long to answer. http://www.malwareremoval.com is blocked as "not business-releated" at work, and I have been without DSL (or landline phone) since last week. Darned rodents! It has been restored now for about 30 minutes.

The junk folder is gone, and the recycled bin has been emptied. I am not on the infected machine yet, but will insure that the quarantined files are deleted, and will re-run MBAM. I am replying with this partial answer to prevent this thread from becoming deactivated due to my lack of response.

Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 12th, 2009, 3:26 pm

Hi trags,

Ok, thanks for letting me know.

I will wait the report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 12th, 2009, 10:26 pm

Hello chryssi2001,

Things were going so well, but now...
I cannot access http://www.malwareremoval.com/forum/ from the laptop. MBAM no longer works. I cannot access http://www.malwarebytes.org, either. Other than these issues, the laptop still seems to be working OK. I can get to other sites. When I ping www.malwareremoval.com from the laptop, it responds with the localhost address (127.0.0.1). When I ping the site from my Ubuntu machine, it responds with
64 bytes from essexhosting.co.uk (72.233.90.98). I can get to this forum on my Windows desktop machine also. The only difference is it uses a wired network connection (and isn't infected).
When I ping essexhosting.co.uk from the laptop, it responds correctly (the 72.233.90.98 address). I looked at
c:\windows\system32\drivers\etc\hosts, and the only entry was for localhost. I can still get files off the machine with a flash drive, but would like you to direct me to get something that will be useful for you. I also noticed that Windows Firewall had been disabled, so I re-enabled that. Really, I'm not trying to be a bother.

Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 13th, 2009, 4:06 pm

Hello trags,

When you say mbam doesn't work, please describe exactly what is happening.

Those symptoms are very weird. The pc was running ok before you had problems with your ISP.

What happened after your ISP restored your Internet Access?
What was the problems you had?

Please open mbam, and post to me the last log.
Did you run mbam to remove this?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.


Download and transfer the tool below using a USB to the infected pc.
Then run it as per my instructions.
----------------------------------------------
GMER

  • Download GMER by GMER from one of the links below:
    Link1
    Link2
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then

    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 13th, 2009, 10:13 pm

When you say mbam doesn't work, please describe exactly what is happening.

When I double click the icon, the cursor briefly indicates 'busy', the disk activity led flashes once, but then... nothing. This applies to MBAM, ComboFix, and now gmer. I tried this also from start->run. And I also performed a right-click, run as, and ran as Administrator. In all cases the behaviour was the same. Unfortunately, before I notified you of this problem, I thought MBAM was corrupt, so I uninstalled it. I have downloaded a new MBAM setup file from CNET's download.com. This setup executable also won't launch (in the identical manner). The only anti-malware that still works is HijackThis, so I attach that log here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:31 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\program files\steam\steam.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h20239.www2.hp.com/techcenter/HP ... scheck.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 72.233.90.98 http://www.malwarebytes.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11736 bytes

I notice that I forgot to remove www.malwarebytes.com from my hosts file (and it has the wrong address - it should have been www.malwareremoval.com). I fixed this and the results are the same. In addition, I tried to go to windowsupdate.microsoft.com and got the same result.
What happened after your ISP restored your Internet Access?

During the interval that the DSL service was interrupted, my daughter took her laptop to a friend's house, and attached it there. I don't know what activities followed, but when she came back, the strange behaviour began.
Did you run mbam to remove this?

To the best of my recollection, I did not as I don't think I was instructed to do so.

The most recent MBAM log has already been posted, but I will repost here the last log from when it still worked.

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

1/8/2009 7:57:27 AM
mbam-log-2009-01-08 (07-57-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138779
Time elapsed: 56 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If you want me to install any other tools, I can always try something else (sysinternals? wireshark/winpcap? I am familiar with both of these.)
As always, I truly appreciate your efforts.
Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 14th, 2009, 1:31 pm

Hello trags,

To the best of my recollection, I did not as I don't think I was instructed to do so.

I did ask you to do so in this post.

During the interval that the DSL service was interrupted, my daughter took her laptop to a friend's house, and attached it there. I don't know what activities followed, but when she came back, the strange behaviour began.

Do you use your daughter's lap to download tools and transfer them on this pc?

You are re-infected and more seriously than before. The infection is the reason you can't run those tools and prevents you to visit some sites. Can you try to go to other sites that removes malware? Try and let me know, and then disconnect the pc from the internet and do not re-use it to visit the Internet at least for now.

http://www.prevx.com/filenames/X3871264 ... 2EEXE.html

Answer my first question, and let me know also which pc you use to tranfer programs, like you did with Gmer. Do you use a USB? Only one?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 14th, 2009, 7:05 pm

Hello chryssi2001,
I did ask you to do so

In reviewing the posts, I think this one happened after MBAM began failing.
Do you use your daughter's lap to download tools and transfer them on this pc?

That is what I had been doing. Now I must use another PC for browsing and file downloads. I have at my disposal, another Windows XP SP3 machine, and my Ubuntu linux machine. On the alternate Windows PC, I downloaded gmer.zip, and unzipped it. It now resides on my USB flash drive. When I launch it from the flash drive on the uninfected PC, it launches correctly, when I launch it from the flash drive on the infected laptop, it doesn't launch.
Can you try to go to other sites that removes malware?

Every site I can think of (for a malware nube) is blocked. I can't get to McAfee anymore either. Also, now when I try to run a scan from McAfee, it fails (the info link on the "tell Microsoft about this" dialog box mentions something about compatibility mode, and the file names are the DOS 8.3 names). This laptop now has the wireless hardware switch set to "off", and has no ethernet connection either.
http://www.prevx.com/filenames/X3871264 ... 2EEXE.html

I went to this site, and saw that it specified the twex.exe is malware. I have a "Ultimate Boot CD for Windows (see http://www.ubcd4win.com), and used it to delete twex.exe after a standard delete using the regular OS failed.

One last comment. There is now a pseudo-"Security Center" running that looks almost exactly like the Microsoft version. It issues pop-ups at regular intervals and tries to get me to click on a link to install "Spyware Guard 2009". I always right-click on the taskbar titlebar and click on "close". I never click in any of the generated windows. "Spyware Guard 2009" is always closed in the same manner.

One more "last" comment. I have confiscated the infected laptop, so that I can control what happens on it. (Hopefully, at your direction.)

I truly appreciate you effort with this problem.
Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 15th, 2009, 8:07 am

Hello trags,

It seems that your USB is infected.
Obviously 1 of the pc you used is infected too, or both, and you transfered your infection to your pc.

All symptoms you describe are a result of the rootkit infection you have.

One more "last" comment. I have confiscated the infected laptop, so that I can control what happens on it. (Hopefully, at your direction.)

What do you mean by this please?

I went to this site, and saw that it specified the twex.exe is malware. I have a "Ultimate Boot CD for Windows (see http://www.ubcd4win.com), and used it to delete twex.exe after a standard delete using the regular OS failed.

Let me clear something for you.

This rootkit you have is very nasty, and well hidden. Even if you removed that file, it's still there, and downloading more infections each time you visit the Internet.

I don't want you to try any tools on your own, or remove files, except of the instructions i will give you, if you want to clean this pc.

After that you should check the other 2 windows pcs for infections. Yours and your daughters.
If the USB is infected, it infects each pc it's connected too, and backwards.

We can try to clean your pc, but keep it off Internet.

I want you also to use only 1 pc to download tools and transfer them to the infected one.
Not both you have available.

We have a long way to go and you have to be patient.
The other solution you have is re-format this pc, and clean the other 2.

Tell me if you you read and understood what i am saying, and we'll start.
If you decide to proceed to clean it, let me see a new HijackThis log, after the attempt to remove that bad file.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 15th, 2009, 8:55 pm

confiscated

Probably a bad choice of words. I am keeping her laptop, and not allowing her to do schoolwork on it. In addition, she isn't taking it to school and connecting to that wireless network, either. You should have a controlled environment for whatever follows.
Even if you removed that file, it's still there

I had no illusions about that. The comment was meant to convey two pieces of information: 1.) a standard delete was not allowed from the infected Windows OS, and 2.) I do have a bootable CD-ROM. I was just giving you the flavor of the CD's OS. I built the CD from official Microsoft XP licensed CDs, so I would hope that it is virus-free. If Windows ever gets completely non-functional, I would still be able to do something.
I don't want you to try any tools on your own, or remove files, except of the instructions i will give you

Yes I understand this statement, and I will refrain from doing anything else. Unfortunately, before I read this post, I tried one more thing: I renamed gmer.exe to random_name.exe. Then I could launch it (still from the flash drive). In case it generated helpful information, here it is:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-15 19:31:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEC7769CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEC776A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEC776978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEC77698C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEC776A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEC776AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEC776B14]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEC776AF9]
Code E1DF56D8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEC776A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEC776B3E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEC776A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEC776950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEC776964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEC7769DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEC776B7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEC776AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEC776ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEC776A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEC776B66]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEC776B52]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEC7769B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEC7769A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEC776AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEC776A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEC776B28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEC776A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEC7769F4]
Code EC92FEAB pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP EC7769F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP EC7769CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP EC776A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP EC776A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP E1DF56DC
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP EC7769E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP EC776954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP EC776968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP EC7769A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP EC776990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP EC77697C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP EC7769BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP EC776A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP EC776AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP EC776ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP EC776B2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP EC776AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP EC776A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP EC776A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP EC776A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP EC776AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 5 Bytes JMP EC776B18 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP EC776AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP EC776A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP EC776B7E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP EC776B56 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP EC776B6A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP EC776B42 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01450FEF
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01450F54
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01450053
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01450036
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01450F79
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01450FA5
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01450092
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01450075
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014500AD
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01450F1E
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01450F03
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01450F94
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01450000
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01450064
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01450FC0
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01450011
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01450F39
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01440FCA
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01440FA8
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01440FE5
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0144001B
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0144005B
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01440000
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0144004A
.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01440FB9
.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01420FDE
.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01420FEF
.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01420016
.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01420031
.text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0F7E
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B0F99
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B007D
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B006C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B0036
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B00B0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B009F
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B00F0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B00CB
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011B0101
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011B0051
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011B0FE5
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011B008E
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011B0025
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011B0FD4
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011B0F4D
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 011A0036
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 011A0FA5
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 011A001B
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 011A0FE5
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 011A0062
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 011A0FC0
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 3A, 89 ]
.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 011A0047
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01180FEF
.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01180000
.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0118001B
.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01180038
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02830000
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02830F9B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02830090
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02830075
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02830FAC
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02830FD1
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028300ED
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028300D2
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02830F5E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA + 2 7C80236D 3 Bytes [ EB, 02, 86 ]
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02830112
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02830058
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02830011
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 028300AB
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0283003D
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0283002C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02830F80
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02820FB9
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0282006C
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02820FCA
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02820FEF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02820051
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02820000
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02820040
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02820025
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02800FD4
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02800FEF
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 02800FC3
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 02800FA8
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027F0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE005A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F65
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F80
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0F9B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0097
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0086
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0EFE
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F0F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FE00BC
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FE0075
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FE0F2A
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FD0FA5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FD0FB6
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FD0062
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FB0000
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02730000
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02730F3E
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02730F4F
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02730F76
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02730033
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02730F9B
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0273007C
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0273005F
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02730F01
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02730F12
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 027300BF
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02730022
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02730FDB
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0273004E
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02730FC0
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02730011
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02730F23
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0272001B
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0272006C
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02720FCA
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0272000A
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02720047
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02720FEF
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02720FAF
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 92, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0272002C
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02100FDE
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02100FEF
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0210000A
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 0210001B
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F48
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F79
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F8A
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0073
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0084
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0EF5
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007B0ED0
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007B0022
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007B0F37
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007B0FAF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007B0F10
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007A0087
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007A006C
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007A0040
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F57
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E7004C
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70031
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70F68
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70089
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70078
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E70F0B
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F26
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E700BF
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E70F83
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E70067
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E70F9E
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E7009A
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E20FA5
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E20058
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E20FB6
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 02, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E2003D
.text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00E00FCA
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00E0000C
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00E0001D
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F43
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0042
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F68
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0025
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0070
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F28
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EF2
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F03
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001C00B0
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001C0053
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001C000A
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1868] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001C008B
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002C0014
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002C0043
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002C0F7C
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002C0F97
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4C, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[1868] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1868] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00810FDE
.text C:\WINDOWS\system32\wuauclt.exe[1868] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\wuauclt.exe[1868] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\wuauclt.exe[1868] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00810FB7
.text C:\WINDOWS\system32\wuauclt.exe[1868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00820000
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01210FE5
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01210F4B
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01210040
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0121002F
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01210F72
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01210F83
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01210F1F
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0121005B
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01210EE2
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01210EF3
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0121008C
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0121000A
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01210FCA
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01210F30
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01210F94
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01210FB9
.text C:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01210F0E
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF002F
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF006F
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FF0054
.text C:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\System32\svchost.exe[1932] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00860011
.text C:\WINDOWS\System32\svchost.exe[1932] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00860000
.text C:\WINDOWS\System32\svchost.exe[1932] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00860038
.text C:\WINDOWS\System32\svchost.exe[1932] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00860FE5
.text C:\WINDOWS\System32\svchost.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00850000
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014E0000
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014E004A
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014E0F55
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014E0F66
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014E0F83
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014E0F9E
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014E0082
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014E0F3A
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014E00C2
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014E00B1
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 014E0F18
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 014E0025
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 014E0FE5
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 014E005B
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 014E0FAF
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 014E0FCA
.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 014E0F29
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 014D0FCD
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 014D0054
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 014D0014
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 014D0FDE
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 014D0F8D
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 014D0FEF
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 014D002F
.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 014D0FB2
.text C:\WINDOWS\Explorer.EXE[2040] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\Explorer.EXE[2040] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00D50000
.text C:\WINDOWS\Explorer.EXE[2040] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00D50025
.text C:\WINDOWS\Explorer.EXE[2040] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00D50FC8
.text C:\WINDOWS\Explorer.EXE[2040] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B1000A
.text C:\WINDOWS\Explorer.EXE[2040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[2040] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[2040] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B2000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2592] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B005D
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F72
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F26
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EF7
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B009A
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0EE6
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F4D
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\dllhost.exe[3084] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0089
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B005B
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\dllhost.exe[3084] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\dllhost.exe[3084] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\dllhost.exe[3084] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\dllhost.exe[3084] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00700FD4
.text C:\WINDOWS\system32\dllhost.exe[3084] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00700FC3
.text C:\WINDOWS\system32\dllhost.exe[3084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F6B
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00060
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F7C
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00F8D
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0007D
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F35
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00EF5
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F10
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C00EDA
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C00F50
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[3392] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C0008E
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[3392] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[3392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F94
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80089
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E8006E
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80FA5
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E8002C
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F68
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E800B0
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F28
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E800CB
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E800DC
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E80F83
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[3408] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E80F57
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E70051
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E70040
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E70F9E
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 07, 89 ]
.text C:\WINDOWS\system32\svchost.exe[3408] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\svchost.exe[3408] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[3408] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[3408] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[3408] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00E50FC8
.text C:\WINDOWS\system32\svchost.exe[3408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmhct.sys (*** hidden *** ) EC92E000-EC940000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:488 EC930D66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSmhct.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmtvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmtvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 95
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid 461
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1

---- EOF - GMER 1.0.14 ----

And now the HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:55 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spyware Guard 2009\spywareguard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h20239.www2.hp.com/techcenter/HP ... scheck.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 72.233.90.98 www.malwareremoval.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2009\spywareguard.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ieModule - {746C7839-E492-4D45-9392-EEF0DE53C39F} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {81E5D0D9-FD2E-4808-BD51-E430B34E78F7} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jzfhthayjz.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11823 bytes

Thank you for your efforts. I await further instructions.
Best regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 16th, 2009, 1:44 pm

Hello trags,

Yes the Rootkit is there.

So we have your daughter's pc which is infected.
Your pc, which is the one you will use to download tools.

I will explain what to do on each pc. If you don't understand something, please ask and do not proceed.

Remove from the infected pc:
Combofix
Malwarebytes' Anti-Malware << Try unistalling it using Add/Remove programs.

On your pc:
Download this tool and follow all the instructions so your USB stick will be disinfected:
----------------------------------------------
Flash_Disinfector FOR XP

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
----------------------------------------------
Download on your pc a new copy of Combofix from one of the links below:

Link 1
Link 2
----------------------------------------------
Download a new copy of Malwarebytes' Anti-Malware.
----------------------------------------------
Using the USB stick, transfer them to the infected pc.

Install Combofix at desktop.
Now when installing Malwarebytes' Anti-Malware rename it before you save it.
----------------------------------------------
Note: Do not unplug the USB, let it on the pc, untill Combofix finishes
----------------------------------------------
Try to run Malwarebytes' Anti-Malware.

Here are the instructions again:
  • Open the program and select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
Tell me if you are not able to run it.
----------------------------------------------
Now please double-click and run Combofix.

Stay near the pc, and if you get any messages, and the tool is not running let me know.

If Combofix runs, post back the report, and a new HijackThis log.

After Combofix is done, try and tell me if you can access the forum. If not, disconnect again the pc from the Internet.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 17th, 2009, 12:27 am

Hello chryssi2001,
Well, I can't get very far. On my PC, when I download Flash_Disinfector to my desktop, the download finished with a dialog box:

--------------------------------------------
Error Copying File or Folder.
--------------------------------------------
Cannot copy Flash_Disinfector[1]: Access is denied.

Make sure the disk is not full or write-protected
and that the file is not currently in use.

So I didn't get very far.
I am able to download the file on my linux machine and copy it to the flash drive. When I then mount the flash drive on my Windows PC and select explore (in an attempt to copy to my desktop), I can briefly see the program, but when I click on it, it disappears. I do have psftp installed on my PC, if you think an ftp, rather than http transfer would be any better.

Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 17th, 2009, 2:31 am

Hello trags,

So you weren't able to save it on your pc and it gives that error before saving it?
Flash Disinfector is for your pc and not the infected one. It will be installed on your pc, and stay there, so we can disinfect your USB.

Disable your Anti-Virus and retry to download Flash Disinsfector again. Let me know what happened.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware