Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » [CLOSED] Search Results Redirect + Most Programs (including Virus Scan!) Do Not Open or Run

Goto page : 1, 2  Next

View previous topic View next topic Go down  Message [Page 1 of 2]

obiwon


Member
Member
I initially suspected a straight forward spyware issue had infected my pc, with the basic symptom of redirecting search results in both ff and ie.

However, after a few days of my attempting to work through a solution, new symptoms arose.

Upon attempting to open ANY program on my pc, including browser programs, I receive three "javascript-similar" pop up dialog boxes with the caption "Error" and the message "path-to-program.exe" in each box, as I stated, three in a row. I can open browsers and a couple programs by clicking the "X" in the upper right corner of the dialog boxes, however most programs will not open.

In addition, virus scan attempts will stop the first time they are run about 45 seconds into the scan, and the experience is that the virus scan program simply crashes by disappearing as if it never started.

Once a new virus scan program is downloaded and installed, such program may attempt to run but in most cases the program will not run once it is run as program the first time.

This is especially worrisome considering that I am unable to run hijackthis or similar programs to generate a log file.

In order to begin to solve this myriad of issues I humbly ask for your assistance in opening hijackthis or another program that would generate a log file I can post here, in a manner that the program would run and complete its procedure and for that matter, open at all.

My concern is that I will be unable to open any programs or have any virus scan software operate at a level to begin to solve the issue I am facing.

Additionally, acting quickly may help others who currently have a search results issue that may progress into a total system shut down issue as I am experiencing. I am not sure if the search results redirects are connected to the incapacitated program launching, however if so, we have new symptoms that are not found on google or other antivirus forum sites. (imho)

obiwon


Member
Member
http://www.geekstogo.com/forum/Rootkit-via-Win-Police-Pro-A-exe-Desote-other-locked-down-t252106.html

Similar situation on the url above, generally speaking.

Desote was found by an updated AVG I downloaded and the quick scan is currently functioning.

Specifics:
Adware Generic4.LPF via desote.exe

Also, to make things more fun:
Trojan Horse Dropper.Agent.LZW



Last edited by obiwon on Thu Sep 10, 2009 7:18 am; edited 1 time in total (Reason for editing : more specific information)

Dragon


UNITE Member
UNITE Member
hi there and welcome

Lets see what we can do.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

4 part 1 - msg too large on Fri Sep 11, 2009 1:03 am

obiwon


Member
Member
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-10 23:58:19
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8378932E ZwSaveKeyEx
Code 837B6D26 IofCompleteRequest
Code 837B8B70 ZwFlushInstructionCache
Code 837EA3E0 ZwEnumerateKey
Code 8392307E IofCallDriver
Code 839255C6 ZwSaveKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA94D562D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA94D5470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA94D55DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA94D55EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA94D5484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA94D54B0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA94D5508]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA94D566D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA94D554D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA94D545C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA94D55B3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA94D55C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA94D5641]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA94D5589]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA94D54F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA94D54DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA94D549A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA94D5575]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA94D5561]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA94D5619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA94D5605]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA94D54C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA94D569C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA94D5537]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA94D5683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA94D5657]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012A0036
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012A0047
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012A0062
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 012A0FAF
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 89]
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012A0000
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012A0FE5
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012A0FCA
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012A001B
.text C:\WINDOWS\system32\svchost.exe[216] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[216] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01330000
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01330FE5
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0133001B
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0133002C
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01330F6F
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01330F37
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01330F26
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01330F15
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0133009A
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01330F52
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01330FCA
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01330062
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01330FA5
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01330051
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01330F8A
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0133007F
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013300B5
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01290FB5
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01290FE3
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01290000
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01290FC6
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01290F9A
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!system 77C293C7 5 Bytes JMP 01290025
.text C:\WINDOWS\system32\svchost.exe[216] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 83923083
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 837B6D2B
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A94D5631 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A94D5671 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A94D55B7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A94D55CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A94D5609 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP A94D5474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A94D55DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP A94D55F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP A94D5488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP A94D54B4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 837EA3E4
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP A94D550C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 837B8B74
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP A94D5551 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP A94D5460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A94D5645 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP A94D558D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP A94D54F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP A94D54E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP A94D549E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP A94D5579 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP A94D5565 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSaveKey 80625264 5 Bytes JMP 839255CA
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062534A 5 Bytes JMP 83789332
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A94D561D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP A94D54CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A94D56A0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP A94D553B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A94D5687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A94D565B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0127000A
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 01270FD4
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 01270FC3
.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0128000A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[468] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[468] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[468] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[576] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[576] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[576] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013B0000
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013B0051
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013B0F66
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013B0F77
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013B0F94
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013B0FB9
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013B0F30
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013B0F41
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013B009D
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013B0EFA
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013B00AE
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013B0040
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013B0011
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013B006C
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013B0FCA
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013B0FDB
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013B0F15
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FC0
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90058
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FDB
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[708] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[708] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80FC6
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80FE3
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\svchost.exe[708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[708] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00F60FC0
.text C:\WINDOWS\system32\svchost.exe[708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007A0078
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007A0F83
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007A0F94
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007A0FA5
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007A0F5E
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007A009A
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007A0F0D
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007A0F32
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007A00C1
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007A0FC0
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007A0089
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007A0036
.text C:\WINDOWS\system32\services.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007A0F43
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006004B
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[952] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[952] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[952] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[952] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0004001B

5 part 2 - msg too large on Fri Sep 11, 2009 1:04 am

obiwon


Member
Member
.text C:\WINDOWS\system32\services.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F29
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F44
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F61
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F72
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF001E
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0EFB
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0043
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0080
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF006F
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0091
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FDE
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F18
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FB2
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF005E
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0076
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE005B
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CE004A
.text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FA1
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0FB2
.text C:\WINDOWS\system32\lsass.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FDE
.text C:\WINDOWS\system32\lsass.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[964] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[964] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\lsass.exe[964] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\lsass.exe[964] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00050036
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[968] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[968] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[968] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F7C
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F97
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0065
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0FA8
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F61
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB00A9
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB00BA
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F21
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB00DF
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0FC3
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB008C
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB002F
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F46
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D0FB9
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D005B
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0FCA
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007D0025
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0F9E
.text C:\WINDOWS\system32\svchost.exe[1148] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96
.text C:\WINDOWS\system32\svchost.exe[1148] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2
.text C:\WINDOWS\system32\svchost.exe[1148] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0FA1
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C002C
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0011
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0FB2
.text C:\WINDOWS\system32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FD7
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0F6F
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0F80
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE004E
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE003D
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0022
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0F32
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0F43
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0F17
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE00B0
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE0F06
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0F9B
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0011
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F54
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0FB6
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE0FD1
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE009F
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0F9E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC001E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FB9
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0F61
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0F7C
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0F8D
.text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0F90
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0025
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FC6
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FB5
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 040F0000
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 040F0F54
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 040F0053
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 040F0F6F
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 040F0F8A
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 040F0FB6
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 040F007A
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 040F0F32
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 040F00B0
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 040F0F17
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 040F0EFC
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 040F0F9B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 040F0011
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 040F0F43
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 040F0022
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 040F0FD1
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 040F008B
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03FF001B
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03FF0F83
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03FF000A
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03FF0FD4
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03FF0F94
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03FF0FA5
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 8C]
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03FF0036
.text C:\WINDOWS\System32\svchost.exe[1432] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1432] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1432] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03FE0025
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 03FE000A
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03FE0FB5
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03FE0F9A
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03FE0FC6
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 03FC0000
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03FC0FE5
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 03FC0025
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03FC0FD4
.text C:\WINDOWS\System32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03FD0000
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0073
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0F88
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D0062
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0047
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D0FCA
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D008E
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D0F52
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D00D5
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D00BA
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D0F21
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D0FA5
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D0025
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0F63
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D00A9
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007C001B
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007C0FD4
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007C0F79
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007C0F94
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 88]
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007B0FBC
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!system 77C293C7 5 Bytes JMP 007B003D
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007B0FCD
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 007A0FDB
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 007A0011
.text C:\WINDOWS\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 007A0022
.text C:\Program Files\Bonjour\mDNSResponder.exe[1576] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1576] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1576] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F72
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F9E
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0051
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA00A4
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0093
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F26
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00BF
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0F01
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA0082
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F41
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D0FCA
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D0F86
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D0F97
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D0000



Last edited by obiwon on Fri Sep 11, 2009 1:05 am; edited 1 time in total (Reason for editing : subject line)

6 part 3 - msg too large on Fri Sep 11, 2009 1:05 am

obiwon


Member
Member
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007D0FA8
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9D, 88]
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0FB9
.text C:\WINDOWS\system32\svchost.exe[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0070
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C003A
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C000C
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C004B
.text C:\WINDOWS\system32\svchost.exe[1916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0029
.text C:\WINDOWS\system32\svchost.exe[1916] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1916] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1916] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1916] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0FEF
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2164] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2164] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2164] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0075
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0064
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0F8A
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB003D
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FB6
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB00A1
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F59
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00E8
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00CD
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB0F34
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0F9B
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0090
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0011
.text C:\WINDOWS\system32\svchost.exe[2484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB00BC
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FCA
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0058
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0FA5
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[2484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA002C
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FAB
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90FD7
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FBC
.text C:\WINDOWS\system32\svchost.exe[2484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00820FE5
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00820FC0
.text C:\WINDOWS\system32\svchost.exe[2484] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00820FAF
.text C:\Program Files\DNA\btdna.exe[2880] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\DNA\btdna.exe[2880] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\Program Files\DNA\btdna.exe[2880] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01810FEF
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01810F66
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01810F77
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01810F94
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01810FA5
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01810036
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0181009D
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01810F55
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018100B8
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01810F1F
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 018100C9
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01810047
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0181000A
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01810076
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01810FCA
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0181001B
.text C:\WINDOWS\Explorer.EXE[3332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01810F30
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01800FDB
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01800098
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0180002C
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01800011
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01800087
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01800000
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0180006C
.text C:\WINDOWS\Explorer.EXE[3332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01800051
.text C:\WINDOWS\Explorer.EXE[3332] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\Explorer.EXE[3332] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\Explorer.EXE[3332] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01680F95
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!system 77C293C7 5 Bytes JMP 01680FA6
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01680FC1
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01680FEF
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01680020
.text C:\WINDOWS\Explorer.EXE[3332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01680FD2
.text C:\WINDOWS\Explorer.EXE[3332] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\Explorer.EXE[3332] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\Explorer.EXE[3332] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00D40000
.text C:\WINDOWS\Explorer.EXE[3332] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00D4001B
.text C:\WINDOWS\Explorer.EXE[3332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01610FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[216] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[216] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[2432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[2432] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\DNA\btdna.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll
IAT C:\Program Files\DNA\btdna.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\8394D4A0.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [968] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1576] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\Program Files\DNA\btdna.exe [2880] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [708] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1236] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [216] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2432] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [468] 0x35670000
Library \\?\globalroot\systemroot\system32\kbiwkmbrnkxicp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3332] 0x10000000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3332] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [576] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [2164] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1148] 0x35670000
Library \\?\globalroot\Device\__max++>\8394D4A0.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1432] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmwpqmqsno.sys (*** hidden *** ) [SYSTEM] kbiwkmwkxdjomu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu@imagepath \systemroot\system32\drivers\kbiwkmwpqmqsno.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmwpqmqsno.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmyoymqmet.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmolvilrru.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmnxvnmsti.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkm.dat \systemroot\system32\kbiwkmwqltiqxh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwkxdjomu\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmbrnkxicp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu@imagepath \systemroot\system32\drivers\kbiwkmwpqmqsno.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main\injector@* kbiwkmwsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmwpqmqsno.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmyoymqmet.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmolvilrru.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmnxvnmsti.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkm.dat \systemroot\system32\kbiwkmwqltiqxh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwkxdjomu\modules@kbiwkmwsp8.dll \systemroot\system32\kbiwkmbrnkxicp.dll

---- EOF - GMER 1.0.15 ----



Last edited by obiwon on Fri Sep 11, 2009 1:06 am; edited 1 time in total (Reason for editing : subject line)

obiwon


Member
Member
sorry for the three part post

thank you for your help

scan complete, no action taken

===

The three part post is okay. This board has a limit for how long posts can be. Don;t worry at all. ~~ DragonMaster Jay

Dragon


UNITE Member
UNITE Member
Please download ComboFix by sUBs from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications
    Usually done via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

9 ComboFix Log on Sat Sep 12, 2009 5:41 pm

obiwon


Member
Member
ComboFix 09-09-11.01 - [MYLOGINNAME] 09/12/2009 5:02.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.538 [GMT -5]
Running from: c:\documents and settings\[MYLOGINNAME]\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\[MYLOGINNAME]\Application Data\Microsoft\profile.dat
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\drivers\kbiwkmwpqmqsno.sys
c:\windows\system32\kbiwkmbrnkxicp.dll
c:\windows\system32\kbiwkmnxvnmsti.dll
c:\windows\system32\kbiwkmolvilrru.dat
c:\windows\system32\kbiwkmwqltiqxh.dat
c:\windows\system32\kbiwkmyoymqmet.dll
c:\windows\system32\sonhelp.htm

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmwkxdjomu
-------\Legacy_kbiwkmwkxdjomu
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-10 10:32 . 2009-09-10 10:32 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Local Settings\Application Data\AVG Security Toolbar
2009-09-10 10:23 . 2009-09-10 11:52 -------- d-----w- C:\$AVG8.VAULT$
2009-09-10 10:15 . 2009-09-10 10:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-10 10:15 . 2009-09-10 10:15 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-10 10:15 . 2009-09-10 10:15 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-10 10:15 . 2009-09-10 10:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-10 10:15 . 2009-09-10 10:15 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-10 10:15 . 2009-09-10 10:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 10:14 . 2009-09-10 10:14 -------- d-----w- c:\program files\AVG
2009-09-10 10:14 . 2009-09-12 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-10 10:05 . 2009-09-10 10:05 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\AVG8
2009-09-10 05:21 . 2009-09-10 05:21 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\Malwarebytes
2009-09-10 05:21 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 05:21 . 2009-09-10 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 05:21 . 2009-09-10 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 05:21 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 02:57 . 2009-09-10 02:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-10 02:29 . 2009-09-10 02:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-10 02:03 . 2009-09-10 02:03 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\McAfee
2009-09-09 20:28 . 2009-09-09 20:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-09 02:47 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 18:52 . 2009-09-08 18:52 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\FrameFree
2009-08-27 08:23 . 2009-09-10 07:55 -------- d-----w- c:\program files\Trend Micro
2009-08-14 08:15 . 2009-09-09 14:26 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-14 02:49 . 2009-08-14 02:49 -------- d-sh--w- c:\documents and settings\temp\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 20:47 . 2008-09-15 06:20 -------- d-----w- c:\program files\DNA
2009-09-12 20:47 . 2008-09-15 06:20 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\DNA
2009-09-12 09:50 . 2006-02-28 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-12 08:59 . 2007-07-26 04:49 -------- d-----w- c:\program files\McAfee
2009-09-12 08:49 . 2008-05-24 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-11 03:14 . 2007-07-26 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-10 10:13 . 2008-04-02 17:23 34 ----a-w- c:\windows\system32\BD2140.DAT
2009-09-10 04:58 . 2007-11-15 18:33 -------- d-----w- c:\program files\EditPlus 2
2009-09-10 04:57 . 2007-08-17 20:37 -------- d-----w- c:\documents and settings\[MYLOGINNAME]\Application Data\MP3Downloads
2009-09-10 04:56 . 2008-10-20 23:18 -------- d-----w- c:\program files\Subhash VCDPlayer 2.4
2009-09-09 18:15 . 2007-07-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-09 14:22 . 2007-07-26 11:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-24 05:33 . 2007-07-18 06:14 -------- d-----w- c:\program files\LimeWire
2009-08-15 07:01 . 2007-06-26 06:47 436848 ----a-w- c:\documents and settings\[MYLOGINNAME]\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 07:28 . 2009-08-07 07:26 -------- d-----w- c:\program files\iTunes
2009-08-07 07:28 . 2009-08-07 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-07 07:27 . 2009-08-07 07:26 -------- d-----w- c:\program files\iPod
2009-08-07 07:26 . 2007-08-01 07:04 -------- d-----w- c:\program files\Common Files\Apple
2009-08-07 07:20 . 2008-01-20 00:04 -------- d-----w- c:\program files\QuickTime
2009-08-07 03:10 . 2009-08-07 03:10 -------- d-----w- c:\program files\support.com
2009-08-07 03:10 . 2009-08-07 03:10 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:32 . 2007-07-26 04:51 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 04:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2007-07-26 04:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2007-07-26 04:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2007-07-26 04:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2007-07-26 04:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2007-07-26 04:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-02-28 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-02-28 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-02-28 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-02-28 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"pdfFactory Pro Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-23 380928]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe" [2008-08-15 378224]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-10 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\[MYLOGINNAME]\Start Menu\Programs\Startup\
ImationFlashDetect.lnk - c:\program files\Imation\ImationFlashDetect.exe [2007-7-15 806912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-26 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-10 10:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iBULC\\iBULC.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Zend\\Zend Guard - 5.0.1\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/10/2009 5:15 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/10/2009 5:15 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/10/2009 5:14 AM 297752]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/10/2009 5:14 AM 908056]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys --> c:\windows\system32\DRIVERS\diginet.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [9/5/2007 1:05 PM 54256]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [1/8/2008 12:54 AM 15488]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [1/8/2008 12:56 AM 15232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-26 23:03]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-823518204-2146892821-1003Core.job
- c:\documents and settings\[MYLOGINNAME]\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 06:14]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-823518204-2146892821-1003UA.job
- c:\documents and settings\[MYLOGINNAME]\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 06:14]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-26 02:26]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-26 02:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZJ
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\[MYLOGINNAME]\Application Data\Mozilla\Firefox\Profiles\xpa17i5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\[MYLOGINNAME]\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0293151252788871mcinstcleanup]
"ImagePath"="c:\windows\TEMP\029315~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *×*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-12 15:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 20:56

Pre-Run: 16,638,148,608 bytes free
Post-Run: 20,184,166,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

300 --- E O F --- 2009-09-09 08:08



Last edited by obiwon on Sat Sep 12, 2009 5:46 pm; edited 1 time in total (Reason for editing : subject line)

Dragon


UNITE Member
UNITE Member
how is your system working now. any further problems as you originally posted?
Please post a hijack this log with your next reply

obiwon


Member
Member
error when trying to open hijack this

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

Should I try reinstalling hijack this?

Some other programs are behaving similarly, some work ok.

obiwon


Member
Member
i should add that during the combofix process, Windows Police was part of what combo fix detected and removed.

DragonMaster Jay


Site Owner
Site Owner
Hi

May I step in here?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

obiwon


Member
Member
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 05:13 on 13/09/2009 by [MYLOGINNAME] (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [12:00 15/05/2008] [12:00 28/02/2006] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [20:53 12/09/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [11:36 15/05/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll ------ 181248 bytes [12:00 28/02/2006] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [12:01 15/05/2008] [12:00 28/02/2006] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [20:53 12/09/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [11:34 15/05/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [12:00 28/02/2006] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [12:02 15/05/2008] [12:00 28/02/2006] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [20:53 12/09/2009] [09:50 12/09/2009] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [11:26 15/05/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll ------ 56320 bytes [12:00 28/02/2006] [09:50 12/09/2009] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-

DragonMaster Jay


Site Owner
Site Owner
Hi

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

==

I see you are running a P2P application. I suggest to read the following, and then decided whether you want to keep it or not: http://www.helpmyos.com/learn-security-f40/p2p-programs-t1102.htm

==

In your next reply, please post the Malwarebytes log.

Dragon can take it from here. Smile


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 2]

Goto page : 1, 2  Next

SecuraGeek Forums » Malware/Threat Removal » [CLOSED] Search Results Redirect + Most Programs (including Virus Scan!) Do Not Open or Run

Permissions in this forum:
You cannot reply to topics in this forum