Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Misdirect Virus and Possible Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 25th, 2011, 12:08 pm

I am using Windows Vista Home basic. I just recently picked up a Google misdirect virus on Firefox Mozilla in the last few days. I was bombarded by some looping msiexec.exe files from an unidentified publisher and stupidly allowed them to download on to my computer. I had McAffee Security Center running and it caught some Trojan viruses. I then downloaded avast! Antivirus and it caught a lot of malware on my computer. Unfortunately, the Google Misdirect Virus still persists randomly (sometimes when I click links I'm not misdirected, but other times I am). I've tried manually editing the hosts file only to discover that nothing had been altered. I also checked to make sure that Firefox wasn't going through preset DNS servers (hopefully I described that correctly). I'm not exactly sure what is happening and I would really appreciate any help!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_18
Run by Cindy at 11:47:02 on 2011-06-25
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1789.860 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Users\Cindy\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx? ... 209&m=d620
mStart Page = hxxp://homepage.emachines.com/rdr.aspx? ... 209&m=d620
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {178967b2-48fc-43fc-a0a5-12f0a306a3b9} - c:\windows\system32\atitmmxx32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110512232804.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Google Update] "c:\users\cindy\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eRecoveryService]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Skytel] Skytel.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\cindy\appdata\roaming\microsoft\windows\start menu\programs\startup\PowerReg Scheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 192.168.1.50 68.105.28.12
TCP: Interfaces\{31ACEB1F-49A9-4F9A-9E49-A5190977EE7A} : DhcpNameServer = 192.168.1.1 192.168.1.1 192.168.1.50 68.105.28.12
TCP: Interfaces\{9320EF47-532A-4291-998C-C147787C40C9} : DhcpNameServer = 68.87.73.246 68.87.71.230
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\programdata\atitmmxx32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cindy\appdata\roaming\mozilla\firefox\profiles\5s9d06vt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=14-06-2010&tb_mrud=14-06-2010
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\cindy\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\cindy\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\cindy\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\cindy\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0} - %profile%\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 387480]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-23 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-23 307928]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-1-28 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-1-28 165032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-23 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-6-23 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-23 42184]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-2-28 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-8 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-28 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-28 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-28 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-28 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-28 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-28 141792]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-28 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-8 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-8 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-28 314088]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2008-8-27 22072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-2-28 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-28 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-8 40552]
.
=============== Created Last 30 ================
.
2011-06-25 05:10:25 172032 --sha-w- c:\programdata\atitmmxx32.dll
2011-06-23 04:28:26 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-23 04:28:21 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-06-23 04:20:47 40112 ----a-w- c:\windows\avastSS.scr
2011-06-23 04:14:39 -------- d-----w- c:\programdata\AVAST Software
2011-06-23 04:14:39 -------- d-----w- c:\program files\AVAST Software
2011-06-23 04:11:29 0 ---ha-w- c:\windows\system32\zjgklquyzt.tmp
2011-06-21 04:02:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 03:40:36 350208 ----a-w- c:\windows\system32\atitmmxx32.dll
2011-06-17 05:35:35 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-17 05:35:28 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-17 05:35:19 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-17 05:35:19 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 05:35:09 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-17 05:35:01 758784 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2011-06-17 05:33:56 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 05:33:54 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 05:33:54 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 05:33:39 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-06-13 20:55:20 0 ---ha-w- c:\users\cindy\appdata\local\BITEFFB.tmp
2011-06-11 21:35:29 0 ---ha-w- c:\users\cindy\appdata\local\BITF758.tmp
2011-06-07 16:35:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-07 16:35:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 18:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01:38 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-04-14 18:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01:38 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-04-14 18:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-14 18:01:38 141792 ----a-w- c:\windows\system32\mfevtps.exe
.
============= FINISH: 11:51:59.77 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 2/28/2009 12:02:24 PM
System Uptime: 6/25/2011 7:13:27 AM (4 hours ago)
.
Motherboard: eMachines | | eMachines D620
Processor: AMD Athlon(tm) Processor 2650e | Socket M2/S1G1 | 800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 79.139 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0001
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0001
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.4.5
Adobe Shockwave Player 11.5
AMD USB Audio Driver Filter
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
avast! Free Antivirus
Bonjour
Canon Inkjet Printer Driver Add-On Module
Canon MP750
Canon ScanGear Starter
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Civilization III
Comcast Desktop Software (v1.2.0.9)
Compatibility Pack for the 2007 Office system
D3DX10
Debut Video Capture Software
Desktop Doctor
eMachines
eMachines Recovery Management
EPSON Printer Software
GearDrvs
Google Chrome
Google Desktop
Google Talk Plugin
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IBM SPSS Statistics 19
InterVideo WinDVD 8
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Launch Manager
LightScribe 1.4.142.1
Marvell Miniport Driver
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox (3.6.2)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyITLab ActiveX Installer 2, 9, 8, 65535
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
OGA Notifier 2.0.0048.0
OpenOffice.org 3.2
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Skins
Skype™ 4.2
Synaptics Pointing Device Driver
Uninstall 1.0.0.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoPad Video Editor
Viewpoint Media Player
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
yWriter5
.
==== Event Viewer Messages From Past Week ========
.
6/25/2011 12:33:01 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
6/25/2011 12:33:01 AM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/25/2011 12:32:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
6/25/2011 12:20:02 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
6/25/2011 12:19:28 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EMDMgmt service.
6/25/2011 10:44:41 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
6/25/2011 10:41:36 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/22/2011 10:41:32 PM, Error: Service Control Manager [7034] - The UPnP Device Host service terminated unexpectedly. It has done this 1 time(s).
6/20/2011 4:02:28 AM, Error: Service Control Manager [7034] - The UPnP Device Host service terminated unexpectedly. It has done this 2 time(s).
6/18/2011 2:09:38 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
6/18/2011 2:09:38 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/18/2011 2:09:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
.
==== End Of File ===========================
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am
Advertisement
Register to Remove

Re: Google Misdirect Virus and Possible Trojan

Unread postby Cypher » June 26th, 2011, 12:37 pm

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7


Vista Advice:
  • All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
  • Your Operating System in use comes with a inbuilt utility called User Access Control(UAC).
  • When prompted by this with anything I ask you to do carry out please select the option Allow.

multiple Anti Virus programs

  • You are operating your computer with multiple Anti Virus programs running in memory at once:
    avast! Antivirus
    McAfee Anti-Virus
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Please remove one of them.

Next.

Upload File/Files for testing

Please go to Virustotal or jotti.org

Copy/paste this file and path into the white box at the top:
c:\windows\system32\atitmmxx32.dll

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Right-click mbam-setup.exe And select " Run as administrator " then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now right-click on RKUnhookerLE.exe and select "Run As Administrator" to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • * This can take a while. Please be patient *.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of this log in you're next reply.
  • This log can be lengthy you may have to post it in separate replies.
  • Note: You may get the following warning - it is ok - just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"


Logs/Information to Post in your Next Reply

  • Virustotal or jotti results.
  • Malwarebytes log.
  • RKUnHooker log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 26th, 2011, 2:13 pm

I am currently backing up my personal files. However, in the last day I have made some adjustments to my computer. I downloaded CCleaner and NoScript for Firefox. I also have downloaded AdBlock Plus for Firefox. I used CCleaner to delete files in my registry and clear out temporary files. Should I post more DDS files or should I proceed with your instructions? I'm sorry that I didn't mention this earlier!
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 26th, 2011, 10:20 pm

Here is the permalink for the atitmmxx32.dll file:
http://virusscan.jotti.org/en/scanresul ... 3127f53e2b
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 26th, 2011, 10:46 pm

Here is the Malwarebytes' log:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6956

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

6/26/2011 10:45:32 PM
mbam-log-2011-06-26 (22-45-32).txt

Scan type: Quick scan
Objects scanned: 169703
Time elapsed: 19 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1349c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1349o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1349p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000e751998f1349s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1349c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1349o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1349p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000e751998f1349s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 27th, 2011, 12:38 am

Here is the RKUnHooker log:


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0x8B002000 C:\Windows\system32\DRIVERS\atikmdag.sys 5861376 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82207000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x82207000 PnpManager 3907584 bytes
0x82207000 RAW 3907584 bytes
0x82207000 WMIxWDM 3907584 bytes
0x8C00E000 C:\Windows\system32\drivers\RTKVHDA.sys 2150400 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x94410000 Win32k 2113536 bytes
0x94410000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8760E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x87478000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8C2E3000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x80468000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x99608000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8B908000 C:\Windows\system32\DRIVERS\athr.sys 724992 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x8C532000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8B80F000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8BA00000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x80556000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x87407000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x96C0C000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x80788000 C:\Windows\system32\drivers\mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0x96D7D000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x8B8BB000 C:\Windows\system32\DRIVERS\yk60x86.sys 315392 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0x8C404000 C:\Windows\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0x806A9000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8BEFF000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80600000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80427000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8BB23000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8B599000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8BF8D000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x875AE000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x96D04000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8771E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8BE4C000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x825C1000 ACPI_HAL 208896 bytes
0x825C1000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x80746000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8BECD000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8BAB9000 C:\Windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x8BAF4000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8C21B000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x87583000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8BE0B000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8C4EB000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x96D55000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8776E000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8BE92000 C:\Windows\system32\drivers\mfewfpk.sys 159744 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0x80657000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8C248000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8B5D7000 C:\Windows\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0x8BB91000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x877A6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x96CC4000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8C466000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
0x8C290000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x96CE5000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x80728000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x96C79000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x8C3CD000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8C4C0000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x96C96000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8B9B9000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x96D3D000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8BFD3000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8BB6F000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8C44F000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x99750000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x9972E000 C:\Windows\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0x8BF47000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8C3E8000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x96CAF000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8BBD7000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8BBC3000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8BEB9000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8BA91000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8C51F000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8BF7A000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x87795000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8BE81000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8040E000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x807E5000 C:\Windows\system32\DRIVERS\amdk8.sys 65536 bytes (Microsoft Corporation, Processor Device Driver)
0x80778000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8C4DB000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80708000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8BBEC000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8BF5D000 C:\Windows\system32\DRIVERS\mfenlfk.sys 61440 bytes (McAfee, Inc., McAfee NDIS Light Filter Driver)
0x8C4B1000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8775F000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x8067E000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8BBB4000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8B800000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8069A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x94650000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x80548000 C:\Windows\System32\drivers\hxhg.sys 57344 bytes
0x8BF6C000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8C2CC000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x806FA000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8C487000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8BE3F000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x805D2000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x99722000 C:\Windows\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0x99744000 C:\Windows\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0x996F2000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8C284000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8B8AF000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8C494000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8BAAE000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8BAE9000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8C2C1000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8BB86000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8BB64000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x87600000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80690000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x8BAA4000 C:\Windows\system32\DRIVERS\DKbFltr.sys 40960 bytes (Dritek System Inc., Dritek PS2 Keyboard Filter Driver)
0x8C4A7000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8BE35000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8C515000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8BFC9000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x996E8000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8B9DF000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x99766000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x877CF000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8C26D000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8C2DA000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94630000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x875E9000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8B9E9000 C:\Windows\system32\DRIVERS\usbfilter.sys 36864 bytes (Advanced Micro Devices Inc., AMD USB Filter Driver)
0x875F2000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x80646000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8C000000 C:\Windows\system32\drivers\ws2ifsl.sys 36864 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0x80720000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x877C7000 C:\Windows\system32\DRIVERS\AtiPcie.sys 32768 bytes (ATI Technologies Inc., ATI PCIE Driver for ATI PCIE chipset)
0x8041F000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8C49F000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x8064F000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8B9D1000 C:\Windows\system32\DRIVERS\NTIDrvr.sys 32768 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0x8C2B1000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8C2B9000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x87757000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x80718000 C:\Windows\System32\Drivers\UBHelper.sys 32768 bytes (NewTech Infosystems Corporation, NTI CDROM Filter Driver)
0x8C27D000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x96DE4000 C:\Windows\system32\drivers\int15.sys 28672 bytes (Acer, Inc., int15)
0x80407000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8C276000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x806F3000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8B9D9000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8BA8D000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8068D000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x996E6000 C:\Windows\system32\drivers\regi.sys 8192 bytes (InterVideo, regi driver)
0x8BBFC000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8B9F2000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x822AF7AA-->822AF7B1 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x8241782A-->807BB1EC [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x823F80D3-->807BB216 [mfehidk.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x82417AED-->807BB202 [mfehidk.sys]
ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x82232982-->807BB1D8 [mfehidk.sys]
[1008]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->003A002C [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->003A0051 [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->003A006C [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->003A0FAF [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->003A0000 [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->003A0FCA [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->003A001B [unknown_code_page]
[1008]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->003A0FE5 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00390FEF [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00390FD4 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00390FC3 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00390FB2 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00390F64 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00390F38 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->003900C5 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->003900E0 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->0039008F [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->003900AA [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00390028 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00390F90 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00390F7F [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00390FA1 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00390063 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00390074 [unknown_code_page]
[1008]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00390F49 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00320000 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00320036 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00320025 [unknown_code_page]
[1008]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->003B0000 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->01200047 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->0120006C [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->0120007D [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->01200FC0 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->01200000 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->01200FE5 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->01200036 [unknown_code_page]
[1208]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->0120001B [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00E50000 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00E50FEF [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00E50FD4 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00E50FC3 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00E50067 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00E50EF5 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00E50EE4 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->00E50ED3 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00E50F3C [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->00E50F21 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00E50FA8 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00E50F72 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00E5002F [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00E50F8D [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00E50F61 [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00E5004C [unknown_code_page]
[1208]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00E50F06 [unknown_code_page]
[1208]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00FF0000 [unknown_code_page]
[1208]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00FF001B [unknown_code_page]
[1208]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00FF0FDB [unknown_code_page]
[1208]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x776ED690-->013B0FEF [unknown_code_page]
[1208]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x776EF3A4-->013B001B [unknown_code_page]
[1208]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x77736D5F-->013B0FCA [unknown_code_page]
[1208]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x776EDB09-->013B000A [unknown_code_page]
[1208]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->01250000 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->014F0FAF [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->014F0051 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->014F0062 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->014F0036 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->014F0FE5 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->014F0011 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->014F0FC0 [unknown_code_page]
[1240]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->014F0000 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00F80000 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00F8001B [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00F80036 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00F80047 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00F800BA [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00F80F7E [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00F80F6D [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->00F80115 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00F80F99 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->00F800E9 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00F80058 [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00F8007D [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00F8008E [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00F80FDB [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00F8009F [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00F80FAA [unknown_code_page]
[1240]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00F800FA [unknown_code_page]
[1240]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00FA0000 [unknown_code_page]
[1240]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00FA001B [unknown_code_page]
[1240]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00FA0FE5 [unknown_code_page]
[1240]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->01500FEF [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->01680051 [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->01680FAF [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->0168006C [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->01680FCA [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->01680000 [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->01680025 [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->01680040 [unknown_code_page]
[1260]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->01680FEF [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->01610000 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->01610FE5 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->01610FCA [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->01610FB9 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->01610082 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->01610F46 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->01610F2B [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->01610F1A [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->01610F57 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->016100A7 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->01610025 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->01610F8D [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->01610F7C [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->01610F9E [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->01610056 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->01610067 [unknown_code_page]
[1260]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->016100B8 [unknown_code_page]
[1260]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->01630FEF [unknown_code_page]
[1260]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->0163001B [unknown_code_page]
[1260]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->01630000 [unknown_code_page]
[1260]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->01690000 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->001F0065 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->001F0091 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->001F0FD4 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->001F0076 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->001F0000 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->001F0025 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->001F0040 [unknown_code_page]
[1368]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->001F0FEF [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->001C0000 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->001C001B [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->001C0FE5 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->001C0036 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->001C0F6D [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->001C0F1F [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->001C00B6 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->001C0F04 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->001C0F5C [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001C0F41 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->001C0051 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->001C006C [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->001C007D [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->001C0FCA [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->001C0FA3 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->001C0F88 [unknown_code_page]
[1368]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->001C0F30 [unknown_code_page]
[1368]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->001E0000 [unknown_code_page]
[1368]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->001E0FD4 [unknown_code_page]
[1368]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->001E0FE5 [unknown_code_page]
[1368]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00370FEF [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00D60FB9 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00D60040 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00D60F83 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00D60FA8 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00D60FEF [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00D60FD4 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00D6001B [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00D60000 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00120000 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00120011 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00120022 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00120FD1 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->001200AD [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00120F4C [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->001200E3 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->00120F31 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00120F78 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001200BE [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->0012003D [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->0012005F [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00120070 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->0012004E [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00120081 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->0012009C [unknown_code_page]
[1428]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00120F5D [unknown_code_page]
[1428]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00D10FEF [unknown_code_page]
[1428]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00D10025 [unknown_code_page]
[1428]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00D1000A [unknown_code_page]
[1428]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x776ED690-->00EF0FEF [unknown_code_page]
[1428]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x776EF3A4-->00EF001B [unknown_code_page]
[1428]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x77736D5F-->00EF0FCA [unknown_code_page]
[1428]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x776EDB09-->00EF0000 [unknown_code_page]
[1428]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00E10FEF [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00070014 [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00070F72 [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->0007002F [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00070F8D [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00070FEF [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00070FB9 [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00070F9E [unknown_code_page]
[1520]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00070FD4 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00010FEF [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00010FD4 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->0001000A [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00010FC3 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00010F55 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00010EFD [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00010094 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->000100A5 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00010F3A [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->00010F29 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00010FA8 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00010040 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00010F83 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00010025 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00010051 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00010F66 [unknown_code_page]
[1520]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00010F18 [unknown_code_page]
[1520]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00040FEF [unknown_code_page]
[1520]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00040025 [unknown_code_page]
[1520]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00040014 [unknown_code_page]
[1520]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00080000 [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->013F0036 [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->013F0047 [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->013F0F8A [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->013F0FAF [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->013F000A [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->013F0FDE [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->013F0025 [unknown_code_page]
[1576]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->013F0FEF [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->013E000A [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->013E0025 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->013E0FEF [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->013E0040 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->013E00DA [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->013E0F9E [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->013E012B [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->013E0146 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->013E0FAF [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->013E00F5 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->013E005B [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->013E0087 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->013E0098 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->013E0076 [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->013E0FCA [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->013E00BF [unknown_code_page]
[1576]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->013E0110 [unknown_code_page]
[1576]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->01390FE5 [unknown_code_page]
[1576]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->0139001B [unknown_code_page]
[1576]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->01390000 [unknown_code_page]
[1576]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->01440000 [unknown_code_page]
[1604]mfevtps.exe-->crypt32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x73C01058-->00D87740 [mfevtps.exe]
[1604]mfevtps.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x73C01290-->00D877A0 [mfevtps.exe]
[1904]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00210FB6 [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00210F9B [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00210F8A [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->0021003D [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00210000 [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00210011 [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->0021002C [unknown_code_page]
[1904]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00210FDB [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->001A0FEF [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->001A0FD4 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->001A0FB9 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->001A0000 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->001A0F37 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->001A0076 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->001A0EDF [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->001A0087 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->001A0F26 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001A0F0B [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->001A0F94 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->001A0F79 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->001A0036 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->001A001B [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->001A0051 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->001A0F52 [unknown_code_page]
[1904]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->001A0EFA [unknown_code_page]
[1904]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00200000 [unknown_code_page]
[1904]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->0020001B [unknown_code_page]
[1904]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00200FE5 [unknown_code_page]
[1904]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00240000 [unknown_code_page]
[1912]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->70E14618 [shimeng.dll]
[1912]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->70E14618 [shimeng.dll]
[1912]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->70E14618 [shimeng.dll]
[1912]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->70E14618 [shimeng.dll]
[2140]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->0007002C [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00070F8A [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00070051 [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00070FA5 [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00070FE5 [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00070000 [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00070011 [unknown_code_page]
[2140]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00070FD4 [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->0005000A [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00050FEF [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00050FDE [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00050FCD [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00050061 [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00050EF6 [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->0005008D [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->00050EDB [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00050F36 [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->00050F25 [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00050FBC [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00050F9A [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00050F7D [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00050FAB [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00050F6C [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00050F5B [unknown_code_page]
[2140]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->0005007C [unknown_code_page]
[2140]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00060000 [unknown_code_page]
[2140]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00060FEF [unknown_code_page]
[2140]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->0006001B [unknown_code_page]
[2524]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->6CAD9A20 [McProxy.dll]
[2524]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->6CAD9AE2 [McProxy.dll]
[3144]firefox.exe-->mswsock.dll+0x00007F18, Type: Code Mismatch 0x753E7F18 + 32536 [30 26 C8 EE]
[3144]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x779193A8-->013513F0 [firefox.exe]
[3144]firefox.exe-->ws2_32.dll-->bind, Type: Inline - RelativeJump 0x7617652F-->007A2986 [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x7617330C-->007A2AD5 [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x761740D9-->007A2A5F [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x7617418A-->007A2B4B [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x761862D4-->007A2AFF [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->WSAAsyncGetHostByName, Type: Inline - RelativeJump 0x76185FB9-->007A2B99 [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->WSAConnect, Type: Inline - RelativeJump 0x7617D7B0-->007A2A94 [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->WSASocketW, Type: Inline - RelativeJump 0x761734EB-->007A29FC [atitmmxx32.dll]
[3144]firefox.exe-->ws2_32.dll-->WSASocketW, Type: Inline - SEH 0x761734F0 [unknown_code_page]
[3144]firefox.exe-->ws2_32.dll-->WSASocketW, Type: Inline - SEH 0x761734F1 [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00060FAF [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00060F83 [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00060040 [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00060F9E [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00060000 [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->0006001B [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00060FC0 [unknown_code_page]
[3876]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00060FDB [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00010FEF [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00010FDE [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00010014 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->0001002F [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00010F7A [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00010F55 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00010F44 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->000100F6 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->000100A5 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->000100B6 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->0001004A [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00010FB2 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->0001006F [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00010FCD [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00010F95 [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->0001008A [unknown_code_page]
[3876]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->000100DB [unknown_code_page]
[3876]explorer.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00040FE5 [unknown_code_page]
[3876]explorer.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00040FC3 [unknown_code_page]
[3876]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00040FD4 [unknown_code_page]
[3876]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x776ED690-->033F0FEF [unknown_code_page]
[3876]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x776EF3A4-->033F0FCD [unknown_code_page]
[3876]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x77736D5F-->033F0FB2 [unknown_code_page]
[3876]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x776EDB09-->033F0FDE [unknown_code_page]
[3876]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->031E0000 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00E00FC3 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00E00F97 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00E00F86 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00E00FA8 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00E00000 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00E00FE5 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00E00FD4 [unknown_code_page]
[464]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00E0001B [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->007F0000 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->007F0011 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->007F0FDB [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->007F002C [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->007F0F7D [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->007F00CD [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->007F0F2C [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->007F00E8 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->007F0F6C [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->007F00A8 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->007F003D [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->007F0069 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->007F0086 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->007F0058 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->007F0FAC [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->007F0097 [unknown_code_page]
[464]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->007F0F47 [unknown_code_page]
[464]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00DB000A [unknown_code_page]
[464]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00DB002C [unknown_code_page]
[464]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00DB001B [unknown_code_page]
[464]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00E1000A [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->0076002F [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->0076004A [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00760F8D [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00760FA8 [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00760FEF [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00760FC3 [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00760014 [unknown_code_page]
[564]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00760FDE [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->001D0FEF [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->001D0014 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->001D0FDE [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->001D002F [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->001D0098 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->001D0F48 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->001D0F37 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->001D00E9 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->001D0F6D [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001D00B3 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->001D0FC3 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->001D004A [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->001D005B [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->001D0FA8 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->001D006C [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->001D0087 [unknown_code_page]
[564]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->001D00C4 [unknown_code_page]
[564]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00750000 [unknown_code_page]
[564]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00750036 [unknown_code_page]
[564]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->0075001B [unknown_code_page]
[564]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->007B0000 [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00050040 [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00050F9E [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->0005005B [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00050FB9 [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00050000 [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->0005001B [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00050FCA [unknown_code_page]
[752]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00050FE5 [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00040FEF [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->00040FDE [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00040FCD [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00040014 [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->0004008C [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00040F35 [unknown_code_page]
[752]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00040F24 [unknown_code_page]
[752]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->00040F13 [unknown_code_page]
[752]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->000400A7 [unknown_code_page]
[752]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->00040F6B [unknown_code_page]
[752]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00040FA8 [unknown_code_page]
[752]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00040039 [unknown_code_page]
[752]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->00040F86 [unknown_code_page]
[752]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00040F97 [unknown_code_page]
[752]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->0004006A [unknown_code_page]
[752]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->0004007B [unknown_code_page]
[752]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00040F50 [unknown_code_page]
[752]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->00030FE5 [unknown_code_page]
[752]services.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00030000 [unknown_code_page]
[752]services.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00030FD4 [unknown_code_page]
[752]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00060FEF [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00130036 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00130FA5 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00130F94 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00130051 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00130FE5 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00130025 [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00130FCA [unknown_code_page]
[772]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->0013000A [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->00120FEF [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->0012000A [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->0012001B [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00120FCA [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00120F72 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->00120F32 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->00120F21 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->001200D3 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->00120F61 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001200A7 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00120FAF [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00120040 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->0012005B [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->00120F9E [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00120F83 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00120078 [unknown_code_page]
[772]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->001200B8 [unknown_code_page]
[772]lsass.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->0011000A [unknown_code_page]
[772]lsass.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->00110FDE [unknown_code_page]
[772]lsass.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->00110FEF [unknown_code_page]
[772]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->00BD0000 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x76EC3BA9-->00130F9E [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x76EC39AB-->00130F79 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x76ED41F1-->00130036 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x76ED391E-->00130025 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x76EC89C7-->00130FEF [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x76ED7C42-->00130000 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x76EE7BA1-->00130FB9 [unknown_code_page]
[940]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x76EDE2B5-->00130FD4 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7743CE5F-->0011000A [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7743AECB-->0011001B [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x773F2EF5-->00110036 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x773F5C0C-->00110051 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x77418E6E-->00110F81 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x773F1C28-->001100D8 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x773F1BF3-->001100E9 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7743903B-->001100FA [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x773F19C9-->001100A2 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x773F1929-->001100B3 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x774194DC-->00110FE5 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x774194B4-->00110FC0 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x77419109-->0011007D [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x77419362-->0011006C [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x773F1DC3-->00110FA3 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7741DBDA-->00110F92 [unknown_code_page]
[940]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x77485CF7-->00110F5C [unknown_code_page]
[940]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x77954224-->000F0000 [unknown_code_page]
[940]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x779542E4-->000F0FE5 [unknown_code_page]
[940]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x77954B84-->000F001B [unknown_code_page]
[940]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x761736D1-->001D0000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 27th, 2011, 12:41 am

Update on performance:
So far I don't seem to be having any problems with the Google Misdirect Virus. I tried a couple of searches and clicked a few links and have not run into any random websites. I will keep you updated if this changes.
Unfortunately, I am pretty sure the Trojan is still in my computer. After I did the Malwarebytes scan and restarted my computer, my McAfee Security Center picked up another Trojan in my registry.
Thanks for your help so far! I appreciate it!
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 27th, 2011, 12:55 am

McAfee just removed another Trojan. I managed to get a look at the details and it says that it's been removing Generic.bfr!cf and Generic Downloader.x!fqu

I've had about 9 trojans removed in the last couple of days.
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby Cypher » June 27th, 2011, 4:46 am

Hi c_c_2011.
First please do not make any further changes to your system unless i ask you to do so, this will complicate matters.
I used CCleaner to delete files in my registry.

CAUTION: I advise you NOT to use the "Registry" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!
So far I don't seem to be having any problems with the Google Misdirect Virus

Yes keep me updated and let me know if your searches are redirected again.


Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts.
  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 27th, 2011, 10:37 pm

So far I'm not having any problems with the Google Misdirect virus!

Here is the ComboFix log:

ComboFix 11-06-27.01 - Cindy 06/27/2011 21:51:57.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1789.860 [GMT -4:00]
Running from: c:\users\Cindy\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\atitmmxx32.dll
c:\users\Chao\AppData\Roaming\Mozilla\Firefox\Profiles\rl50yueq.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}
c:\users\Chao\AppData\Roaming\Mozilla\Firefox\Profiles\rl50yueq.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\chrome.manifest
c:\users\Chao\AppData\Roaming\Mozilla\Firefox\Profiles\rl50yueq.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\chrome\xulcache.jar
c:\users\Chao\AppData\Roaming\Mozilla\Firefox\Profiles\rl50yueq.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\defaults\preferences\xulcache.js
c:\users\Chao\AppData\Roaming\Mozilla\Firefox\Profiles\rl50yueq.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\install.rdf
c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}
c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\chrome.manifest
c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\chrome\xulcache.jar
c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\defaults\preferences\xulcache.js
c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\extensions\{730fa3a0-0bc3-4465-9b9e-1a9c5bd900c0}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-28 )))))))))))))))))))))))))))))))
.
.
2011-06-28 02:18 . 2011-06-28 02:18 -------- d-----w- c:\users\Cindy\AppData\Local\temp
2011-06-27 03:15 . 2011-06-27 03:15 -------- d-----w- c:\program files\Apple Software Update
2011-06-27 03:09 . 2011-06-27 03:09 -------- d-----w- c:\program files\iPod
2011-06-27 03:09 . 2011-06-27 03:12 -------- d-----w- c:\program files\iTunes
2011-06-27 02:48 . 2011-06-27 02:48 -------- d-----w- c:\program files\Bonjour
2011-06-27 02:22 . 2011-06-27 02:22 -------- d-----w- c:\users\Cindy\AppData\Roaming\Malwarebytes
2011-06-27 02:22 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 02:22 . 2011-06-27 02:22 -------- d-----w- c:\programdata\Malwarebytes
2011-06-27 02:22 . 2011-06-27 02:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 02:22 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-26 15:45 . 2011-06-26 15:45 -------- d-----w- c:\program files\CCleaner
2011-06-23 04:14 . 2011-06-27 01:21 -------- d-----w- c:\programdata\AVAST Software
2011-06-23 04:14 . 2011-06-23 04:14 -------- d-----w- c:\program files\AVAST Software
2011-06-23 04:11 . 2011-06-23 04:11 0 ---ha-w- c:\windows\system32\zjgklquyzt.tmp
2011-06-21 04:02 . 2011-06-21 04:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 05:35 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-17 05:35 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-17 05:35 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-17 05:35 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 05:35 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-17 05:35 . 2011-04-30 06:09 758784 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-17 05:33 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 05:33 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 05:33 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 05:33 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-06-13 20:55 . 2011-06-13 20:55 0 ---ha-w- c:\users\Cindy\AppData\Local\BITEFFB.tmp
2011-06-11 21:35 . 2011-06-11 21:35 0 ---ha-w- c:\users\Cindy\AppData\Local\BITF758.tmp
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 18:01 . 2011-01-28 08:40 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01 . 2011-01-28 08:40 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-14 18:01 . 2011-01-28 08:40 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01 . 2011-01-28 08:40 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01 . 2011-01-28 08:40 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-04-14 18:01 . 2011-01-28 08:40 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01 . 2011-01-28 08:40 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01 . 2011-01-28 08:40 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-04-14 18:01 . 2009-08-09 02:20 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01 . 2009-08-09 02:20 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-14 18:01 . 2009-05-14 03:25 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-08-03 20:45 . 2010-02-22 16:17 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 18:01 . 2011-01-28 08:40 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-02 809480]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-14 6253088]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-03 30192]
"Skytel"="Skytel.exe" [2008-07-14 1833504]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
.
c:\users\Chao\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\users\Cindy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2010-7-25 256000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Users^Cindy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Cindy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-20 05:02 135664 ----atw- c:\users\Cindy\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 D0F42C22;D0F42C22;c:\windows\system32\D0F42C22.exe [x]
R3 D330048A;D330048A;c:\windows\system32\D330048A.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-03 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488]
R3 WisINT15;WisINT15;c:\windows\System32\OEM\factory\WisINT15.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-04-14 64584]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-04-14 165032]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-29 22072]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 05:27]
.
2011-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 05:27]
.
2011-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239961182-2857614109-2146591167-1000Core.job
- c:\users\Cindy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 05:02]
.
2011-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239961182-2857614109-2146591167-1000UA.job
- c:\users\Cindy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 05:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx? ... 209&m=d620
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 192.168.1.50 68.105.28.12
FF - ProfilePath - c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\5s9d06vt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=14-06-2010&tb_mrud=14-06-2010
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-BroadCam - c:\program files\NCH Software\BroadCam\broadcam.exe
MSConfigStartUp-Recordpad - c:\program files\NCH Swift Sound\Recordpad\recordpad.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-27 22:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-27 22:23:43
ComboFix-quarantined-files.txt 2011-06-28 02:23
.
Pre-Run: 81,542,459,392 bytes free
Post-Run: 81,520,467,968 bytes free
.
- - End Of File - - 020B579A311F5C6838621E29B377042E
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby Cypher » June 28th, 2011, 5:29 am

Hi c_c_2011.
Is McAfee still reporting any problems?

Download and run OTM

Download OTM.exe by Old Timer and save it to your Desktop.
  • Rigt-click OTM.exe and select " Run as administrator " to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Services
    D0F42C22
    D330048A
    
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    
    :Files
    c:\windows\system32\zjgklquyzt.tmp
    c:\users\Cindy\AppData\Local\BITEFFB.tmp
    c:\users\Cindy\AppData\Local\BITF758.tmp
    ipconfig /flushdns /c
    
    :Commands
    [EmptyFlash]
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

We need to run Malwarebytes Anti-Malware again.
note the instructions are different this time, i would like you to run a Full Scan.

  • Launch the application, Check for Updates >> Perform Full Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Logs/Information to Post in your Next Reply

  • Is McAfee still reporting any problems?
  • OTM log.
  • Malwarebytes log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 28th, 2011, 10:21 pm

Thanks again for your help! So far there are no alerts coming from McAfee.

Here is the OTM file:
All processes killed
========== SERVICES/DRIVERS ==========
Service D0F42C22 stopped successfully!
Service D0F42C22 deleted successfully!
Service D330048A stopped successfully!
Service D330048A deleted successfully!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched\ deleted successfully.
========== FILES ==========
c:\windows\system32\zjgklquyzt.tmp moved successfully.
c:\users\Cindy\AppData\Local\BITEFFB.tmp moved successfully.
c:\users\Cindy\AppData\Local\BITF758.tmp moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cindy\Desktop\cmd.bat deleted successfully.
C:\Users\Cindy\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chao
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 887 bytes
->FireFox cache emptied: 86000878 bytes
->Flash cache emptied: 9023 bytes

User: Cindy
->Temp folder emptied: 243898 bytes
->Temporary Internet Files folder emptied: 701314 bytes
->Java cache emptied: 43583362 bytes
->FireFox cache emptied: 34825701 bytes
->Google Chrome cache emptied: 398836135 bytes
->Flash cache emptied: 1512 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 6476300 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 544.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 06282011_220624

Files moved on Reboot...

Registry entries deleted on Reboot...
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby Cypher » June 29th, 2011, 5:02 am

Hi c_c_2011.
Did you run Malwarebytes Anti-Malware again as instructed? post the log in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Google Misdirect Virus and Possible Trojan

Unread postby c_c_2011 » June 29th, 2011, 9:15 am

Hi Cypher. I fell asleep during the middle of the scan and my computer restarted. I'm not sure what happened, but I can't find any copy of the log. I'll scan again later today and put the log up ASAP. Thanks again!
c_c_2011
Active Member
 
Posts: 13
Joined: June 25th, 2011, 11:39 am

Re: Google Misdirect Virus and Possible Trojan

Unread postby Cypher » June 29th, 2011, 10:11 am

Hi c_c_2011.
To find the last Malwarebytes Anti-Malware log launch the application then click on logs.
They are time dated, post the one from the last scan please.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware