Google Redirect Problem -shovel?[RESOLVED]

brendanandryan · January 28, 2009

Thanks in advance for the help. I have been trying for two days to fix this. Think I am getting close.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:21:34 PM, on 1/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\MsiExec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061115

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232852851046

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.22/ttinst.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 10495 bytes

Rorschach112 · January 29, 2009

hello

Download Rooter.exe to your desktop

Then doubleclick it to start the tool
A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

brendanandryan · January 29, 2009

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel® Pentium® D CPU 2.66GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A05

USER : Brendan and Ryan ( Administrator )

BOOT : Normal boot

Thanks for the response / help. Here is the notepad result.

Antivirus : McAfee VirusScan (Activated)

Firewall : McAfee Personal Firewall (Activated)

C:\ (Local Disk) - NTFS - Total:71 Go (Free:45 Go)

D:\ (CD or DVD)

Thu 01/29/2009|18:36

----------------------\\ Search..

No infections found !

1 - "C:\Rooter$\Rooter_1.txt" - Thu 01/29/2009|18:37

----------------------\\ Scan completed at 18:37

Rorschach112 · January 29, 2009

hello

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

brendanandryan · January 30, 2009

Here you go: Thank you.

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-29 21:29:15

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5608F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF55109AA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF5510A41]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5510958]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF551096C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5510A55]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5510A81]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5510AEF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5510AD9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF55109EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5510B1B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5510A2D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5510930]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5510944]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF55109BE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5510B57]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF5510AC3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5510AAD]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF5510A6B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF5510B43]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF5510B2F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5510996]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5510982]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF5510A97]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5510A19]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5510B05]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5510A00]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF55109D4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP F55109D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F55109AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F55109EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP F5510A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP F55109C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F5510934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F5510948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F5510986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP F5510970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP F551095C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP F551099A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP F5510A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP F5510AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP F5510A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP F5510B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP F5510AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP F5510A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP F5510A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP F5510A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP F5510A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP F5510AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP F5510ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP F5510A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP F5510B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP F5510B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP F5510B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP F5510B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.text w_mj32.dll F8827280 6 Bytes [ 00, 00, 00, 00, 00, 00 ]

.text w_mj32.dll F8827289 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F8827290 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F8827297 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F882729E 30 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]

.text ...

? C:\Program Files\Common Files\System\w_mj32.dll The process cannot access the file because it is being used by another process.

.text ntkrnlpa.exe!ZwYieldExecution + 37F4 80504AE8 7 Bytes JMP F55109D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F55109AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F55109EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!MmUnmapViewOfSection + 1C 805B2E14 5 Bytes JMP F5510A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtFreeVirtualMemory + 5468 805B83E6 7 Bytes JMP F55109C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F5510934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F5510948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F5510986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsCreateSystemThread + 3C 805D1142 7 Bytes JMP F5510970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsCreateSystemProcess + 2A 805D11F8 5 Bytes JMP F551095C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsSetContextThread + 1A4 805D1702 5 Bytes JMP F551099A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsGetProcessExitTime + A68 805D29AA 5 Bytes JMP F5510A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 9350 806219CA 7 Bytes JMP F5510AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 969E 80621D18 7 Bytes JMP F5510A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 99C8 80622042 7 Bytes JMP F5510B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + A266 806228E0 7 Bytes JMP F5510AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + AB3A 806231B4 7 Bytes JMP F5510A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[132] Explorer.EXE 0101A55F 5 Bytes JMP 00090000

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D8000A

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80093

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F9E

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80FAF

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80062

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FCA

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D800BF

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D800AE

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80F37

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800D0

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D80F1C

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D80051

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D8001B

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D80F8D

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D80FE5

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D8002C

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D80F5C

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D60FDB

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D60FA5

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D6002C

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D6001B

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D60062

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D60000

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D60047

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D60FCA

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D70FE5

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D70000

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D7001B

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00D7002C

.text C:\WINDOWS\Explorer.EXE[132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D40FEF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE006B

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE005A

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE003D

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F80

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FAF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00BE

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0097

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00EA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F51

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CE0F2C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CE002C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CE0000

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CE007C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CE001B

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CE0FCA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CE00CF

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CD0FB9

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CD002F

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CD0FCA

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CD000A

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CD0F72

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CD0FEF

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CD0F83

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ ED, 88 ]

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CD0F9E

.text C:\WINDOWS\system32\lsass.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB000A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D400B5

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D4009A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D4007D

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D4006C

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40051

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F80

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400D2

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40119

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D400FE

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D4012A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D40FCA

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D40FE5

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D40F9B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D40036

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D4001B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D400ED

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D30FCA

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D30F8A

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D30025

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D3000A

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D30FA5

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D30FEF

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D30047

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D30036

.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FEF

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C9009A

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F9B

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90075

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90058

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FB6

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900C1

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F79

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F39

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F54

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C900ED

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C9003D

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90000

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F8A

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90022

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C90011

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C900D2

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C80FB9

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80F97

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80FCA

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80FEF

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80054

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80000

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C8002F

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80FA8

.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03120FEF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03120091

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03120080

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03120065

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0312004A

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03120FB9

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03120F5A

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03120F81

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031200DF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031200CE

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03120F35

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03120FA8

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03120FDE

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 031200AC

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03120025

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860B7C 3 Bytes JMP 03120014

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA + 4 7C860B80 1 Byte [ 86 ]

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec 7C8623AD 3 Bytes JMP 031200BD

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec + 4 7C8623B1 1 Byte [ 86 ]

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02CF0FDE

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02CF0FB2

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02CF0FEF

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02CF0025

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02CF0FC3

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02CF000A

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02CF005B

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02CF004A

.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B3000A

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03110FE5

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03110FD4

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03110FC3

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03110FB2

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F7C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800071

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800056

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F8D

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FC3

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000BA

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008000A9

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000F0

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F57

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800F3C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800FA8

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00800014

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0080008C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FD4

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00800025

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008000D5

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FB9

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F0051

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F000A

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0FD4

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F0040

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007F0F9E

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9F, 88 ]

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0025

.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA000A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F4B

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F70

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F8D

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0F9E

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA004A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0067

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F1F

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA00A7

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F04

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA00B8

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0FC3

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FE5

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA0F3A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA002F

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FD4

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA0082

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C8000A

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80036

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80FC3

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80FD4

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80F83

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80FE5

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C80F9E

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes CALL C89FEDB5

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80025

.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C6000A

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C90FEF

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C9000A

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C90FD4

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C90025

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1540] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F5E

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0053

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0042

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0025

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007A

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F28

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0ED7

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0EFC

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EBC

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F8D

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F39

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FB9

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A000A

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F0D

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290039

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F7C

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FDE

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290014

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F97

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FB2

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FC3

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F55

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F66

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F81

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007B

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F33

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F07

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F18

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00C5

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0040

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FDE

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F44

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCD

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0014

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0096

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290036

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290087

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290025

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FEF

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FC0

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0029000A

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290062

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290047

.text C:\WINDOWS\System32\svchost.exe[3852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service C:\Program Files\Common Files\System\w_mj32.dll (*** hidden *** ) [sYSTEM] w_mj <-- ROOTKIT !!!

---- Files - GMER 1.0.14 ----

File C:\Program Files\Common Files\System\w_mj32.dll 52480 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Rorschach112 · January 31, 2009

some fun here

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

brendanandryan · January 31, 2009

Some Fun!? I truly appreciate the help. Not sure how it happened.

SDFix: Version 1.240

Run by Brendan and Ryan on Fri 01/30/2009 at 10:27 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

brendanandryan · January 31, 2009

I already had Combo Fix on this machine, not sure why, but it told me it was expired and could only run in reduced funcionality mode, so I went ahead. Hopefully that was the right choice.

ComboFix 09-01-21.04 - Brendan and Ryan 2009-01-30 23:03:44.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.199 [GMT -5:00]

Running from: c:\documents and settings\Brendan and Ryan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *disabled*

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))

.

2009-01-30 22:26 . 2009-01-30 22:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll

2009-01-30 22:23 . 2009-01-30 22:23 <DIR> d-------- c:\windows\ERUNT

2009-01-30 22:13 . 2009-01-30 22:37 <DIR> d-------- C:\SDFix

2009-01-29 20:56 . 2009-01-29 21:20 250 --a------ c:\windows\gmer.ini

2009-01-29 18:35 . 2009-01-29 18:40 <DIR> d-------- C:\Rooter$

2009-01-28 18:29 . 2009-01-28 18:29 <DIR> d-------- c:\program files\Comodo

2009-01-28 18:29 . 2009-01-28 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\BOC427

2009-01-28 18:29 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL

2009-01-28 18:29 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE

2009-01-28 18:29 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb

2009-01-28 18:29 . 2009-01-30 22:46 11,962 --a------ c:\windows\BOC427.INI

2009-01-28 16:20 . 2009-01-28 16:20 <DIR> d-------- c:\program files\Trend Micro

2009-01-28 15:56 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-01-28 15:56 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-01-28 15:16 . 2009-01-28 15:16 <DIR> d-------- C:\fsaua.data

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\SUPERAntiSpyware.com

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-28 12:35 . 2009-01-28 12:35 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\McAfee

2009-01-25 05:20 . 2008-12-13 01:40 3,593,216 --a------ c:\windows\system32\SETC4.tmp

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\scripting

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\en

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\bits

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\l2schemas

2009-01-24 23:24 . 2009-01-24 23:28 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-24 23:17 . 2009-01-24 23:17 <DIR> d-------- c:\windows\EHome

2009-01-24 22:47 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2009-01-24 22:47 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2009-01-24 22:47 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2009-01-24 22:47 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2009-01-24 22:47 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2009-01-24 22:47 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2009-01-24 22:47 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2009-01-24 22:47 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-24 22:47 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2009-01-24 21:39 . 2009-01-24 21:39 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-24 21:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-24 21:38 . 2009-01-24 21:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-24 21:38 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-01 17:42 . 2009-01-01 17:42 <DIR> d-------- c:\program files\iToys

2008-12-31 17:58 . 2008-12-31 17:58 <DIR> d-------- c:\program files\Unity

2008-12-21 11:04 . 2008-12-21 11:04 <DIR> d-------- c:\windows\system32\AGEIA

2008-12-21 11:04 . 2008-12-21 11:04 <DIR> d-------- c:\program files\AGEIA Technologies

2008-12-21 11:03 . 2009-01-28 14:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-21 10:55 . 2008-12-21 10:55 <DIR> d-------- c:\program files\UBISOFT

2008-12-21 10:50 . 2008-12-21 10:50 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-28 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-28 14:34 --------- d-----w c:\program files\Microsoft Silverlight

2009-01-28 14:11 --------- d-----w c:\program files\Microsoft Works

2009-01-25 02:03 --------- d-----w c:\program files\McAfee

2008-12-21 15:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-11-09 21:12 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 18:03 348,160 ----a-w c:\windows\system32\msvcr71.dll

2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll

2006-12-29 20:01 563,712 ----a-w c:\documents and settings\Brendan and Ryan\gotomypc_370.exe

2007-05-15 10:57 135,168 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2007-11-23 15:44 88 --sh--r c:\windows\system32\3AF0639BEE.sys

2007-11-23 15:44 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( snapshot@2009-01-28_12.45.16.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll

+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll

+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll

+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe

+ 2007-09-04 20:59:42 380,144 ----a-w c:\windows\Downloaded Program Files\sabspx.dll

+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE

+ 2009-01-31 03:23:47 3,383,296 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2009-01-31 03:23:47 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2009-01-31 03:23:30 3,383,296 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2009-01-31 03:23:30 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2009-01-30 01:56:38 884,736 ----a-w c:\windows\gmer.dll

+ 2009-01-30 01:56:24 811,008 ----a-w c:\windows\gmer.exe

- 2009-01-28 14:16:04 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-01-28 21:22:03 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-01-28 14:16:04 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-01-28 21:22:03 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-01-28 14:16:04 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-01-28 21:22:03 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-01-28 14:16:04 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-01-28 21:22:03 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-01-28 14:16:04 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-01-28 21:22:03 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-01-28 14:16:04 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-01-28 21:22:03 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-01-28 14:16:04 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-01-28 21:22:03 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-01-28 14:16:04 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2009-01-28 21:22:03 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2009-01-28 14:16:04 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-01-28 21:22:03 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-01-28 14:16:04 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-01-28 21:22:03 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-01-28 14:16:03 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-01-28 21:22:03 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-01-28 19:20:20 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2009-01-28 19:20:21 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-30 01:56:38 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

+ 2005-03-21 16:00:24 4,096 ----a-w c:\windows\system32\sabprocenum.sys

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 1831936]

"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-16 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R1 w_mj;w_mj;c:\program files\Common Files\System\w_mj32.dll [2009-01-21 52480]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

R4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2009-01-28 73464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dbbdcae-d81d-11dd-a297-0014bf7ac4c5}]

\Shell\AutoRun\command - E:\AutoRun.EXE

.

Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.webkinz.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Brendan and Ryan\Application Data\Mozilla\Firefox\Profiles\qzahyiau.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-30 23:04:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-01-30 23:05:36

ComboFix-quarantined-files.txt 2009-01-31 04:05:33

ComboFix2.txt 2009-01-28 17:46:15

Pre-Run: 48,346,423,296 bytes free

Post-Run: 48,362,708,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

279 --- E O F --- 2009-01-28 21:22:18

Rorschach112 · January 31, 2009

Delete ComboFix.exe and the folders C:\ComboFix and C:\qoobox then download and run it again

brendanandryan · February 1, 2009

OK, seems to have run. As always, we truly appreciate your time and help.

ComboFix 09-01-31.01 - Brendan and Ryan 2009-01-31 21:20:01.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -5:00]

Running from: c:\documents and settings\Brendan and Ryan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))