Resolved Blue screen, Artemis, and multiple iexplore.exe

Status
Not open for further replies.

aero05

Posts: 40   +0
My computer is running slow and I had a blue screen yesterday. McAfee today said that a trojan was removed: Artemis!D7A66DDA4489. Also, I noticed in Tasks that (2) iexplore.exe were running.

Here's the first log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/13/2010 3:15:24 PM
mbam-log-2010-07-13 (15-15-24).txt

Scan type: Quick scan
Objects scanned: 129399
Time elapsed: 14 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/13/2010 3:15:24 PM
mbam-log-2010-07-13 (15-15-24).txt

Scan type: Quick scan
Objects scanned: 129399
Time elapsed: 14 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/13/2010 3:15:24 PM
mbam-log-2010-07-13 (15-15-24).txt

Scan type: Quick scan
Objects scanned: 129399
Time elapsed: 14 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

  • DDS.txt
    15.8 KB · Views: 2
  • gmer.log
    111.4 KB · Views: 0
  • Attach.txt
    10.2 KB · Views: 1
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-13 15:55:05
Windows 5.1.2600 Service Pack 3
Running: ezd1j09u.exe; Driver: C:\DOCUME~1\Kent\LOCALS~1\Temp\ffqyrkow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF83B4DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF83B4DC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF83B4DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF83B4E46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF83B4D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF83B4D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF83B4D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF83B4DDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF83B4E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF83B4E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF83B4E70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF83B4E5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF83B4E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP F83B4E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP F83B4E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP F83B4E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6040 5 Bytes JMP F83B4E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP F83B4D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP F83B4D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP F83B4E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP F83B4E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP F83B4DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP F83B4DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP F83B4DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP F83B4DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP F83B4DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0025
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0F72
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C005D
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C004C
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0F8D
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C001E
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C0F29
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F44
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C0F07
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0096
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0EEC
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C002F
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F61
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FA8
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FB9
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F18
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0F79
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F8A
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FA5
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5
 
ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B002C
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0042
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A001D
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FD2
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FAD
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A000C
.text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0103001B
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F7A
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F8B
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0FB2
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FC3
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F42
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F5F
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00D1
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00C0
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F1D
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF008A
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF002F
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF00A5
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F83
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0F9E
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE004A
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0039
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0055
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED003A
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0029
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED000C
.text C:\WINDOWS\system32\svchost.exe[340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8005D
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F83
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80089
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F41
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFA
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F0B
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes
 
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C002F
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F61
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FA8
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FB9
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F18
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0F79
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F8A
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FA5
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B002C
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0042
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A001D
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FD2
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FAD
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A000C
.text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\svchost.exe[340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0103001B
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F7A
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F8B
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0FB2
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FC3
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F42
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F5F
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF00D1
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00C0
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0F1D
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF008A
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF002F
.text C:\WINDOWS\system32\svchost.exe[340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF00A5
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F83
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0F9E
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE004A
.text C:\WINDOWS\system32\svchost.exe[340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0039
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0055
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED003A
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0029
.text C:\WINDOWS\system32\svchost.exe[340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED000C
.text C:\WINDOWS\system32\svchost.exe[340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8005D
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F83
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80089
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F41
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFA
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F0B
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80EE9
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80078
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F1C
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FC0
 
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FDB
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920040
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FAB
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[936] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0090002F
.text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F4001B
.text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F65
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F80
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30F91
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F3004E
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FC0
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F39
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F4A
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F300BE
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300AD
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30F0A
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F3003D
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30011
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F3006B
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FD1
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30022
.text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30092
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F2002C
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F8D
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2001B
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F9E
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F2000A
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20FAF
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10F92
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1001D
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FC8
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F1000C
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FAD
.text C:\WINDOWS\System32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\System32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740FC0
.text C:\WINDOWS\system32\services.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0078
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0F83
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0051
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0F94
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FAF
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E00AE
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E0093
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F15
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F30
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E0F04
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E001B
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F68
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\system32\services.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F41
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006D0FCA
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006D0047
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006D0FE5
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006D0036
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006D0F9E
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8D, 88]
.text C:\WINDOWS\system32\services.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006D0FB9
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C002C
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C001B
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC6
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FB5
.text C:\WINDOWS\system32\services.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FE3
.text C:\WINDOWS\system32\services.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0000
.text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA0011
.text C:\WINDOWS\system32\lsass.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F48
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F63
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9003D
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA5
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90075
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90064
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F08
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900A1
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900BC
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F37
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\lsass.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90086
.text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\lsass.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FB9
 
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A30000
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A3003D
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A30FE5
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A30F91
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 89]
.text C:\WINDOWS\Explorer.EXE[1800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A30022
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A20FB7
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A20038
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A20FE3
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A20000
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A20FC8
.text C:\WINDOWS\Explorer.EXE[1800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A20011
.text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01A00FEF
.text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01A00FCA
.text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01A00FAF
.text C:\WINDOWS\Explorer.EXE[1800] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01A00F9E
.text C:\WINDOWS\Explorer.EXE[1800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A10000
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 06120FEF
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0612001B
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0612000A
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 06110000
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 06110082
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 06110071
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 06110054
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 06110F97
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 06110FB9
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 06110F5F
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 061100A7
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 061100E0
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 06110F3D
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 061100FB
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 06110FA8
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 06110FE5
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 06110F7C
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 06110FD4
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0611001B
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 06110F4E
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 06100FC0
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 06100058
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 06100011
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 06100FDB
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 06100047
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 06100000
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 06100036
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 06100FA5
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 060F0053
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 060F0FC8
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 060F001D
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 060F0000
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 060F0038
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 060F0FE3
.text C:\WINDOWS\System32\svchost.exe[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016B0000
.text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009A0000
.text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\System32\svchost.exe[1856] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 009A0FB9
.text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01DC0000
.text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01DC0025
.text C:\WINDOWS\system32\svchost.exe[2060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01DC0FE5
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012A0FE5
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012A007F
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012A0F8A
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012A0062
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012A0051
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012A0FCA
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012A0F5E
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012A0F6F
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012A00DC
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012A00CB
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012A00F7
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012A0FB9
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012A0000
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012A009A
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012A0036
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012A001B
.text C:\WINDOWS\system32\svchost.exe[2060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012A0F4D
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01290025
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01290076
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01290014
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01290FDE
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01290065
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01290FEF
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01290FC3
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 89]
.text C:\WINDOWS\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01290040
 
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01280029
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!system 77C293C7 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01280FCD
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01280018
.text C:\WINDOWS\system32\svchost.exe[2060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01280FDE
.text C:\WINDOWS\system32\svchost.exe[2060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01270000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03050FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03050014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03050FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03040000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03040F8F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03040084
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03040073
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03040FB6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03040058
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03040F52
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03040F63
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030400C6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030400B5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030400D7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03040FC7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0304001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03040F74
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03040047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03040036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03040F37
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 039F0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 039F0F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 039F001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 039F000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 039F004A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 039F0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 039F0FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 8B]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 039F0FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 039E0F90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!system 77C293C7 5 Bytes JMP 039E0FB5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 039E0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 039E0FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 039E0025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 039E0FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 038B0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 038B0014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 038B0025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 038B0FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3036] ws2_32.dll!socket 71AB4211 5 Bytes JMP 039D0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00150000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00150022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00150011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F75
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027006A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270FA1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700A0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F4E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F29
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700CC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002700DD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270085
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0027002F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700B1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370F8B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FA6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FB7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01550FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01550000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0155001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01550036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3696] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02050000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1336] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1336] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
 
DDS (Ver_09-09-29.01) - NTFSx86
Run by Kent at 16:06:12.50 on Tue 07/13/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.114 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe 4
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kent\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100519222050.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [F.lux] "c:\documents and settings\kent\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ContactKeeper Birthday reminder] "c:\program files\contactkeeper\ContactKeeper.exe" /Reminder
uRun: [SwiftToDoListLite] "c:\program files\swift to-do list\Swift To-Do List Lite.exe" minimized
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\kent\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kent\applic~1\mozilla\firefox\profiles\0icoraqd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-9 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-1 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-9 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-1 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-1 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-1 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-1 141792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-1 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-9 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-9 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-1 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-1 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-1 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-9 40552]

=============== Created Last 30 ================

2010-07-13 13:48 <DIR> --d----- c:\windows\system32\wbem\Logs
2010-07-13 09:00 <DIR> --d----- c:\windows\Downloaded Installations
2010-07-13 08:59 <DIR> --dsh--- c:\windows\ftpcache
2010-07-09 12:57 <DIR> --d----- c:\program files\Citrix
2010-07-09 12:55 72,080 a------- c:\documents and settings\kent\g2mdlhlpx.exe
2010-06-30 10:04 122,880 a------- c:\windows\system32\cPopMenu6.ocx
2010-06-30 10:04 <DIR> --d----- c:\program files\Swift To-Do List
2010-06-30 09:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Data Access Worldwide
2010-06-30 09:23 <DIR> --d----- c:\program files\Visual DataFlex 14.0
2010-06-30 08:08 137,000 a------- c:\windows\system32\msmapi32.ocx
2010-06-30 08:08 108,336 a------- c:\windows\system32\mswinsck.ocx
2010-06-30 08:08 608,448 a------- c:\windows\system32\comctl32.ocx
2010-06-30 08:08 166,600 a------- c:\windows\system32\msmask32.ocx
2010-06-30 08:08 <DIR> --d----- c:\program files\ContactKeeper
2010-06-30 08:07 <DIR> --d----- c:\docume~1\kent\applic~1\stickies
2010-06-30 08:07 587 a------- c:\windows\uninstallstickies.bat
2010-06-30 08:07 <DIR> --d----- c:\program files\stickies
2010-06-25 13:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2010-06-25 12:16 <DIR> --d----- c:\docume~1\kent\applic~1\IObit
2010-06-25 12:16 <DIR> --d----- c:\program files\IObit

==================== Find3M ====================

2010-05-21 14:14 221,568 -------- c:\windows\system32\MpSigStub.exe
2010-05-04 13:20 832,512 a------- c:\windows\system32\wininet.dll
2010-05-04 13:20 78,336 a------- c:\windows\system32\ieencode.dll
2010-05-04 13:20 17,408 a------- c:\windows\system32\corpol.dll
2010-05-02 01:22 1,851,264 a------- c:\windows\system32\win32k.sys
2010-04-20 01:30 285,696 a------- c:\windows\system32\atmfd.dll
2010-01-29 00:10 256 a------- c:\documents and settings\kent\pool.bin

============= FINISH: 16:06:52.73 ===============
 
DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/10/2009 12:02:48 AM
System Uptime: 7/13/2010 9:20:21 AM (7 hours ago)

Motherboard: Dell Inc. | | 0X9238
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 59.953 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Service:

==== System Restore Points ===================

RP171: 4/15/2010 8:02:21 PM - System Checkpoint
RP172: 4/16/2010 10:52:36 PM - System Checkpoint
RP173: 4/17/2010 7:57:00 AM - Software Distribution Service 3.0
RP174: 4/18/2010 3:06:25 PM - System Checkpoint
RP175: 4/20/2010 8:13:18 PM - System Checkpoint
RP176: 4/22/2010 7:21:36 PM - System Checkpoint
RP177: 4/23/2010 1:55:11 AM - Software Distribution Service 3.0
RP178: 4/24/2010 8:16:30 AM - System Checkpoint
RP179: 4/28/2010 9:13:26 PM - Software Distribution Service 3.0
RP180: 5/4/2010 9:51:07 PM - System Checkpoint
RP181: 5/5/2010 3:47:04 PM - Software Distribution Service 3.0
RP182: 5/6/2010 3:58:15 PM - System Checkpoint
RP183: 5/7/2010 1:36:10 AM - Software Distribution Service 3.0
RP184: 5/11/2010 7:34:21 PM - System Checkpoint
RP185: 5/13/2010 9:27:56 PM - System Checkpoint
RP186: 5/16/2010 7:30:27 PM - System Checkpoint
RP187: 5/16/2010 7:56:00 PM - Software Distribution Service 3.0
RP188: 5/17/2010 9:33:39 PM - System Checkpoint
RP189: 5/19/2010 10:53:39 PM - System Checkpoint
RP190: 5/20/2010 1:36:19 AM - Software Distribution Service 3.0
RP191: 5/20/2010 8:55:48 PM - Software Distribution Service 3.0
RP192: 5/21/2010 6:36:15 PM - Software Distribution Service 3.0
RP193: 5/24/2010 7:59:15 PM - Software Distribution Service 3.0
RP194: 5/27/2010 3:52:14 PM - Software Distribution Service 3.0
RP195: 5/27/2010 3:55:36 PM - Software Distribution Service 3.0
RP196: 5/29/2010 3:14:55 PM - System Checkpoint
RP197: 5/31/2010 3:39:22 PM - Software Distribution Service 3.0
RP198: 6/1/2010 7:02:42 PM - System Checkpoint
RP199: 6/3/2010 9:43:54 PM - Software Distribution Service 3.0
RP200: 6/5/2010 6:43:21 PM - System Checkpoint
RP201: 6/6/2010 7:29:27 AM - Software Distribution Service 3.0
RP202: 6/7/2010 4:58:57 PM - Software Distribution Service 3.0
RP203: 6/9/2010 6:27:39 PM - System Checkpoint
RP204: 6/10/2010 7:01:19 AM - Software Distribution Service 3.0
RP205: 6/11/2010 9:14:10 AM - Software Distribution Service 3.0
RP206: 6/14/2010 12:28:54 PM - System Checkpoint
RP207: 6/15/2010 8:01:05 AM - Software Distribution Service 3.0
RP208: 6/16/2010 7:09:10 PM - System Checkpoint
RP209: 6/17/2010 7:22:47 PM - Installed Windows Media Player Firefox Plugin
RP210: 6/18/2010 7:47:17 AM - Software Distribution Service 3.0
RP211: 6/20/2010 5:30:12 PM - System Checkpoint
RP212: 6/22/2010 8:02:32 AM - Software Distribution Service 3.0
RP213: 6/24/2010 7:00:54 AM - Software Distribution Service 3.0
RP214: 6/25/2010 7:18:25 AM - Software Distribution Service 3.0
RP215: 6/25/2010 12:19:00 PM - Advanced SystemCare RestorePoint
RP216: 6/27/2010 12:52:58 PM - System Checkpoint
RP217: 6/28/2010 1:28:45 PM - System Checkpoint
RP218: 6/29/2010 7:07:47 AM - Software Distribution Service 3.0
RP219: 6/30/2010 8:39:07 AM - System Checkpoint
RP220: 7/1/2010 5:58:59 PM - System Checkpoint
RP221: 7/2/2010 1:32:49 AM - Software Distribution Service 3.0
RP222: 7/3/2010 8:25:12 AM - System Checkpoint
RP223: 7/4/2010 10:04:28 AM - System Checkpoint
RP224: 7/5/2010 12:50:31 PM - System Checkpoint
RP225: 7/5/2010 6:08:40 PM - Software Distribution Service 3.0
RP226: 7/8/2010 5:50:27 PM - Software Distribution Service 3.0
RP227: 7/9/2010 9:12:18 PM - System Checkpoint
RP228: 7/12/2010 10:11:51 AM - System Checkpoint
RP229: 7/13/2010 7:27:39 AM - Software Distribution Service 3.0

==== Installed Programs ======================

ABC Amber BlackBerry Converter
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Advanced SystemCare 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Bonjour
C-Major Audio
Canon i860
ContactKeeper 1.4.3
Dell ResourceCD
F.lux
FoxyTunes for Firefox
GoToMeeting 4.5.0.457
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
iTunes
Java(TM) 6 Update 14
LG USB Modem driver
Malwarebytes' Anti-Malware
Maxtor Manager
McAfee Total Protection
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
mIWA
mIWCA
mLogView
mMHouse
Mozilla Firefox (3.6.3)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mToolkit
mWlsSafe
mXML
mZConfig
PowerDVD
PrimoPDF -- brought to you by Nitro PDF Software
QuickSet
QuickTime
Registry Patrol
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Smart Defrag
Stickies 7.0a
Swift To-Do List Lite 1.33
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973687)
V CAST Music with Rhapsody
Visual DataFlex 2008 Client Engine 14.0
VZAccess Manager
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Player Firefox Plugin
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

7/8/2010 9:28:03 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/12/2010 9:39:11 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Security with the following error: System could not allocate the required space in a registry log.

==== End Of File ===========================
 
How should I address this problem? Since I haven't received a response, did I use improper protocol? Thanks!
 
Dulicate thread of https://www.techspot.com/vb/topic150040.html

I'd like to address a couple of issues before I go on:
  1. I recommend that you uninstall the IOBIT Advanced System Care, This is not a good program to have on the system and the home site is questionable.
  2. You are using Registry Patrol[/B]. Most of us don't recommend Registry cleaning programs. Very often, the entries they remove should not be removed or the user does not know enough about the process to decide whether it should be removed
  3. MRT.exe is the Malicious Software Removal Tool. At this point you don't know if it's a problem with the program itself or if malware is shutting it down. We have to look further as the current logs aren't giving malware information.
  4. The fan running is a heat issue. If it is now louder than usual, you may need to open the computer and clean the inside. (carefully)
  5. You do have a process running actively which is thought to be a Trojan: flu.exe
==============================
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
==================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste these logs into your next reply.

This is a very busy forum. Please pracrtice patience.
 
Thanks for the help Bobbye. I uninstalled IOBIT Advanced System Care and F.lux.

I was unable to uninstall Registry Patrol and received the following message "The following file does not exist or is not a valid uninstallation log file. C;\Program Files\Registry Patrol\uninstal.log"

Attached are the logs for combofix & ESET.
 

Attachments

  • log.txt
    18.3 KB · Views: 1
  • eset log.txt
    1.1 KB · Views: 1
Found Registry Patrol!

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    
    :Services
    
    :Reg
    
    :Files 
    C:\Program Files\ABC Amber BlackBerry Converter\abcberry.exe	
    C:\Program Files\Registry Patrol\RegistryPatrol.exe	
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Go ahead and run this. I have to go out for a bit and will check the Combofix as soon as I get back.
 
I downloaded and ran OTMovit. Here's the log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\ABC Amber BlackBerry Converter\abcberry.exe moved successfully.
C:\Program Files\Registry Patrol\RegistryPatrol.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

User: Kent
->Temp folder emptied: 230792 bytes
->Temporary Internet Files folder emptied: 13824939 bytes
->FireFox cache emptied: 88749158 bytes
->Flash cache emptied: 17407 bytes

User: Kids
->FireFox cache emptied: 3292179 bytes

User: Kids.DELL-3DD1301BF7

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 24871032 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111759 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 528055 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32969 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 126.00 mb


OTM by OldTimer - Version 3.1.14.0 log created on 07162010_111956

Files moved on Reboot...
C:\Documents and Settings\Kent\Local Settings\Temp\~DFB033.tmp moved successfully.
C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\FWG3ZMTX\ads[2].htm moved successfully.
C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\FWG3ZMTX\topic149961[1].htm moved successfully.
C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\Content.IE5\9FAREKS0\sh20[1].htm moved successfully.
C:\Documents and Settings\Kent\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File C:\WINDOWS\temp\TMP000000014F29C6299C5DE561 not found!

Registry entries deleted on Reboot...
 
I found the Registry program in Combofix. It was actually downloaded twice> 10/2009 and 12/2009. I have written script to remove them. Some of the problem you mentioned can easily be system-related. Please run the following:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::

Folder::
c:\documents and settings\All Users\Application Data\IObit
c:\documents and settings\Kent\Application Data\IObit
c:\program files\IObit
c:\program files\Registry Patrol
c:\program files\Registry Patrol(2)

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please let me know if there are any malware related problems remaining.
 
Attached is the ComboFix log and here is pasted log for HijackThis. Thanks again for all the help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:34:00 PM, on 7/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Swift To-Do List\Swift To-Do List Lite.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100519222050.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ContactKeeper Birthday reminder] "C:\Program Files\ContactKeeper\ContactKeeper.exe" /Reminder
O4 - HKCU\..\Run: [SwiftToDoListLite] "C:\Program Files\Swift To-Do List\Swift To-Do List Lite.exe" minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8204 bytes
 

Attachments

  • ComboFix.txt
    32.2 KB · Views: 1
Hi Bobbye ... I'm patiently looking forward to your reply. Okay, I'm not that patient, but I am curious to find out what the latest logs revealed. I notice that I still have 2 instances of iexplore.exe running.
 
I think you missed this line in GMER: Warning ! Please, do not select the "Show all" checkbox during the scan.

My computer is running slow and I had a blue screen yesterday. McAfee today said that a trojan was removed: Artemis!D7A66DDA4489. Also, I noticed in Tasks that (2) iexplore.exe were running.
1. Slow can cover a wide range of causes. Two very common reasons are: Not enough RAM and/or too many programs on startup and running in the background.

2. You have an antivirus program to protect the system and remove viruses, Worms and some Trojans. So it's doing it's job.

3. A BSOD can happen-occasionally- You may never know the reason for it. IF you continue to get BSODs and/or notice you are getting them when you try to run a specific program or do a specific function on the system, then you worry.

4. Regarding multiple iexplore.exe processes running: do you know that this is normal for IE8? While it is possible that malware can hide in the process, it is also acceptable to have multiple running.

Are there any other problems in addition to the subject of the thread? These logs are clean.
 
Thanks Bobbye for giving me a clean "bill of health" on the logs. What is the consequence of "Show All" in GMER? My apologies if I created extra work for you.

I don't recall the exact sequence, but McAfee didn't find and remove Artemis until after I was running the logs (it might have been Malwarebytes).

There haven't been an more BSODs (now I know the terminology!) and my computer is booting up faster ... thanks to your help!

Thanks for the info on iexplore.exe ... no, I didn't know that was normal for IE8.

My last questions: 1) Registry Patrol icon is still on my Desktop and 2) What steps do you recommend to keep my computer running clean?

Thanks so much for your help and your time! - Kent
 
Update: McAfee found "FakeAlert-FakeSpy!env.a earlier and now I'm getting redirected to different websites when I do a Google search (this occurred after I downloaded Google Toolbar). Urggghhh ... what now?

Here's a log of Malwarebytes that I just ran:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/20/2010 10:13:46 PM
mbam-log-2010-07-20 (22-13-46).txt

Scan type: Quick scan
Objects scanned: 143069
Time elapsed: 29 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wheyazucoc (Trojan.Hiloti) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\kbdibdhs.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\kAZYTNUhEh.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JMRS7NDP\setup[2].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JMRS7NDP\setup[3].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\0.18964769238173818.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
 
Run this first:

TFC (Temp File Cleaner)

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Follow with Eset scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave Eset log. Some of these entries are in the temporary internet files- maybe I can pinpoint source and/or locations of other entries..
 
Is there another site to download TFC? (geekstogo is offline while they "investigate a repeated URL injection)
 
What is your status now please?

BTW, this site is back up for TFC:
TFC (Temp File Cleaner)

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies.TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
 
Status
Not open for further replies.
Back