Google Redirect Virus?

View previous topic View next topic Go down

Google Redirect Virus?

Post by ohdeucey on 14th June 2010, 12:31 pm

Hi All,

Search results are being redirected to various untrustworthy sites, kind of annoying but manageable. I have seen a bunch of different suggestions for first attempts to diagnose/remove, but I will hold off until something is suggested.

Thanks in advance!

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 14th June 2010, 4:37 pm

Hi

Download [You must be registered and logged in to see this link.] to your Desktop. (If you already have it downloaded, then just follow the instructions below).
Alternate link: [You must be registered and logged in to see this link.]

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 14th June 2010, 6:14 pm

OTL.txt (Part 1)



OTL logfile created on: 6/14/2010 1:54:01 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\flabuski\My Documents\My Downloads\OTL
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 44.65 Gb Free Space | 39.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 770.21 Gb Total Space | 428.54 Gb Free Space | 55.64% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive Q: | 300.00 Gb Total Space | 258.83 Gb Free Space | 86.28% Space Free | Partition Type: NTFS
Drive V: | 273.40 Gb Total Space | 19.20 Gb Free Space | 7.02% Space Free | Partition Type: NTFS
Drive X: | 135.62 Gb Total Space | 4.01 Gb Free Space | 2.95% Space Free | Partition Type: NTFS
Drive Y: | 135.04 Gb Total Space | 82.08 Gb Free Space | 60.78% Space Free | Partition Type: NTFS

Computer Name: CRACKER2
Current User Name: flabuski
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/14 13:51:16 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\flabuski\My Documents\My Downloads\OTL\OTL.exe
PRC - [2010/06/14 09:03:19 | 001,352,320 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/06/14 09:03:19 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/10 15:01:20 | 000,623,984 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2010/04/03 16:44:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/03/31 15:03:32 | 000,429,936 | ---- | M] (Blue Ridge Numerics, Inc.) -- C:\Program Files\CFdesign 2010\CFdServ.exe
PRC - [2009/10/15 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/25 05:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/25 05:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/25 05:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/09/11 20:46:46 | 000,144,680 | ---- | M] (Mentor Graphics Corporation) -- C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
PRC - [2009/08/31 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/08/31 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/08/31 21:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/08/31 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/07/29 13:34:48 | 007,320,872 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
PRC - [2009/07/20 12:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 12:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/01/16 15:11:02 | 000,442,368 | ---- | M] (Stratasys, Inc.) -- C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/04 13:10:26 | 000,030,152 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2007/08/30 14:13:00 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) -- C:\WINDOWS\system32\cba\pds.exe
PRC - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 11:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 11:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 11:13:26 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/02/20 13:29:08 | 001,191,936 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2006/09/11 06:40:00 | 000,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2006/08/23 16:08:38 | 002,129,920 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
PRC - [2005/10/07 15:13:38 | 000,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/07/27 17:41:08 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/06/29 00:56:12 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe


========== Modules (SafeList) ==========

MOD - [2010/06/14 13:51:16 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\flabuski\My Documents\My Downloads\OTL\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/02/20 13:29:46 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2006/03/22 23:32:00 | 001,466,368 | ---- | M] () -- C:\WINDOWS\system32\nview.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/06/14 09:03:19 | 001,352,320 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/10 15:01:20 | 000,623,984 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2010/03/31 15:03:32 | 000,429,936 | ---- | M] (Blue Ridge Numerics, Inc.) [Auto | Running] -- C:\Program Files\CFdesign 2010\CFdServ.exe -- (CFdesign 2010 Server)
SRV - [2010/01/20 01:59:12 | 000,087,336 | ---- | M] (Dassault Systèmes SolidWorks Corp.) [On_Demand | Stopped] -- C:\Program Files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSCoordinatorService.exe -- (CoordinatorServiceHost)
SRV - [2010/01/08 08:39:19 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/27 13:23:54 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2009/10/15 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/09/11 20:46:46 | 000,144,680 | ---- | M] (Mentor Graphics Corporation) [Auto | Running] -- C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe -- (Remote Solver for Flow Simulation 2010)
SRV - [2009/08/31 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/08/31 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/08/31 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/03/24 07:39:52 | 000,139,264 | ---- | M] (LANDesk Software, Ltd.) [Disabled | Stopped] -- C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe -- (LANDesk Policy Invoker)
SRV - [2009/01/16 15:11:02 | 000,442,368 | ---- | M] (Stratasys, Inc.) [Auto | Running] -- C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe -- (ModelServerWinServiceP)
SRV - [2008/04/04 13:10:26 | 000,030,152 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Service)
SRV - [2007/08/30 14:13:00 | 000,032,819 | ---- | M] (LANDesk Software Ltd.) [Auto | Running] -- C:\WINDOWS\system32\cba\pds.exe -- (Intel PDS)
SRV - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2006/08/23 16:08:38 | 002,129,920 | ---- | M] (BigFix Inc.) [Auto | Running] -- C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe -- (BESClient)
SRV - [2005/09/23 07:01:16 | 002,799,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)


========== Driver Services (SafeList) ==========

DRV - [2010/06/14 09:03:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/04/10 14:47:32 | 000,026,624 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2009/08/31 21:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/08/31 21:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/08/31 21:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/08/31 21:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/08/31 21:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/08/31 21:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/06/17 12:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 12:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/12/10 13:56:18 | 000,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/09/26 09:53:00 | 000,028,816 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/09/26 09:52:00 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/02/21 11:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/08 13:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2006/03/22 23:32:00 | 003,656,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/09/28 21:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/03/10 08:26:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/03/25 20:37:08 | 000,052,384 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slabbus.sys -- (slabbus) CP2101 USB Composite Device driver (WDM)
DRV - [2004/03/25 20:36:48 | 000,084,512 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slabser.sys -- (slabser)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [1997/06/17 04:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATMHELPR.SYS -- (ATMhelpr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.%(version)s
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.3
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.91.20100528
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20


FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/04/06 08:11:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2010/04/14 05:39:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/04 11:51:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/10 05:08:58 | 000,000,000 | ---D | M]

[2009/10/27 15:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Extensions
[2010/06/14 08:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions
[2010/06/10 05:20:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/10 05:20:27 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/10 05:20:26 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/06/10 05:20:30 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/06/10 05:20:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/06/10 05:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\ietab@ip.cn
[2010/06/11 15:44:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/23 08:44:52 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/06/10 05:09:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/08/31 21:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/06/10 05:08:40 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/12/09 04:58:24 | 000,274,432 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 14th June 2010, 6:15 pm

OTL.txt (Part 2)

O1 HOSTS File: ([2010/06/11 20:09:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SolidWorks_CheckForUpdates] C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: force.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: polycom.com ([corpid02] * in Trusted sites)
O15 - HKLM\..Trusted Domains: polycom.com ([corpsbltest10.milpitas] * in Trusted sites)
O15 - HKLM\..Trusted Domains: polycom.com ([crm] * in Local intranet)
O15 - HKLM\..Trusted Domains: polycom.com ([crmqa] * in Local intranet)
O15 - HKLM\..Trusted Domains: polycom.com ([salesresourcecenter] * in Local intranet)
O15 - HKLM\..Trusted Domains: polycom.com ([sololearning] * in Trusted sites)
O15 - HKLM\..Trusted Domains: polycom.com ([src] * in Local intranet)
O15 - HKLM\..Trusted Domains: polycom.com ([sso] * in Trusted sites)
O15 - HKLM\..Trusted Domains: salesforce.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: salesresourcecenter ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: src ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: force.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: polycom.com ([corpid02] * in Trusted sites)
O15 - HKCU\..Trusted Domains: polycom.com ([corpmailev01.milpitas] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([corpmailev02.milpitas] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([corpsbltest10.milpitas] * in Trusted sites)
O15 - HKCU\..Trusted Domains: polycom.com ([crm] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([crmqa] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([ev1] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([ev2] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([evsite] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([salesresourcecenter] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([sololearning] * in Trusted sites)
O15 - HKCU\..Trusted Domains: polycom.com ([src] * in Local intranet)
O15 - HKCU\..Trusted Domains: polycom.com ([sso] * in Trusted sites)
O15 - HKCU\..Trusted Domains: salesforce.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: salesresourcecenter ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: src ([]* in Local intranet)
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} [You must be registered and logged in to see this link.] Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe (ProductView Express)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} [You must be registered and logged in to see this link.] (WMI Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} [You must be registered and logged in to see this link.] (JuniperSetupControlXP Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} [You must be registered and logged in to see this link.] (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andover.polycom.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/22 21:05:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/02/28 08:00:00 | 000,000,000 | ---- | M] () - Q:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/22 16:22:49 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "LANDesk Policy Invoker"
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: McAfeeEngineService - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WdfLoadGroup -
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WdfLoadGroup -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} - Microsoft Office Communicator 2007 R2
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6CF427C4-70FF-DCDB-A29A-043699A4FE22} - Outlook Express
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {AF4D65BF-0FEE-6784-69CC-A63D766C5BD7} - Microsoft Office Communicator 2007 R2
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.PLCMg7221 - C:\WINDOWS\System32\PLCMg7221.acm (Polycom, Inc.)
Drivers32: msacm.PLCMg729A - C:\WINDOWS\System32\PLCMg729A.acm (Polycom, Inc.)
Drivers32: msacm.PLCMsiren - C:\WINDOWS\System32\PLCMsiren.acm (Polycom, Inc.)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (0)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/14 09:03:47 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/14 09:03:44 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/14 08:54:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/14 08:54:35 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/06/14 08:54:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/06/10 07:31:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\flabuski\Recent
[2010/06/10 05:11:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/10 05:11:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/10 05:08:58 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 05:08:58 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 05:08:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 05:08:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 05:08:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/08 15:01:30 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/07 07:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/07 07:37:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/06 17:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\flabuski\Local Settings\Application Data\mhrfvcksg
[2010/05/24 11:06:49 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/24 11:06:43 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/24 10:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

========== Files - Modified Within 30 Days ==========

[2010/06/14 13:23:02 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/14 13:23:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/14 12:31:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/14 11:00:10 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/06/14 09:15:41 | 000,180,403 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/06/14 09:15:27 | 000,060,807 | ---- | M] () -- C:\WINDOWS\System32\nvwsapps.xml
[2010/06/14 09:15:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/14 09:12:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/14 09:12:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/14 09:11:31 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\flabuski\NTUSER.DAT
[2010/06/14 09:11:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\flabuski\ntuser.ini
[2010/06/14 09:03:37 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/14 09:03:36 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/14 09:03:23 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/14 08:55:57 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/06/14 08:54:53 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/14 07:07:09 | 000,180,403 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/06/11 05:33:10 | 000,181,860 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit-samples-1-130510 Quote.pdf
[2010/06/11 05:29:32 | 000,109,194 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\PLCM Rabbit -1A-8Jun10.pdf
[2010/06/10 18:14:04 | 000,029,475 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\BUY AIRTIME.pdf
[2010/06/10 05:08:38 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 05:08:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 05:08:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 05:08:38 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/10 05:08:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 04:58:34 | 000,083,832 | ---- | M] () -- C:\Documents and Settings\flabuski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/09 21:39:40 | 002,247,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/09 09:29:30 | 000,064,797 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Venus_To_Do_List.pdf
[2010/06/08 15:50:57 | 000,031,430 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Document.rtf
[2010/06/08 15:49:57 | 000,012,788 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Venus_To_Do_List.xlsx
[2010/06/08 14:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/07 16:15:04 | 000,385,645 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\receipt.pdf
[2010/06/07 16:13:27 | 000,376,376 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\receipt.jpg
[2010/06/07 15:44:02 | 000,000,654 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/07 08:57:21 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\CCleaner.lnk
[2010/06/07 08:16:43 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\HijackThis.lnk
[2010/06/07 07:33:33 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Tom Donegan Tree 2010.xls
[2010/06/03 20:40:54 | 008,950,042 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Swing.gif
[2010/06/03 10:40:47 | 000,432,031 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\3810-26489-001_r1.ai
[2010/06/03 10:40:32 | 000,433,337 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\3810-26491-001_r1.ai
[2010/06/03 10:38:47 | 000,054,037 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Untitled.jpg
[2010/06/03 10:37:34 | 000,509,523 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\3810-26491-001_r1.pdf
[2010/06/03 10:36:35 | 000,514,524 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\3810-26489-001_r1.pdf
[2010/06/03 09:22:55 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit Ear BOM assembly (2).xls
[2010/06/03 07:13:04 | 000,003,093 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\image.png
[2010/06/02 15:03:46 | 000,083,334 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Vishay_cable_miniature_STC-32T-2.pdf
[2010/06/02 15:02:27 | 000,174,023 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\GORE_Shielded_Twisted_Pair_Controlled_Impedance_DXN3218.pdf
[2010/06/02 09:28:21 | 000,103,509 | ---- | M] () -- C:\WINDOWS\hpoins04.dat
[2010/05/30 19:44:02 | 000,155,136 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\2010SprFinal.xls
[2010/05/27 15:32:50 | 000,705,233 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\1355-52147-001_rA.pdf
[2010/05/25 14:18:32 | 000,542,925 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\User Library-SPRING TEMPLATE-6.zip
[2010/05/25 09:35:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\1358-32889-001_X1_Top Cover Grill.zip
[2010/05/24 12:14:21 | 000,103,358 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\DSL356D-AR-F2.2(2010-5-22).pdf
[2010/05/24 11:34:16 | 000,008,972 | RHS- | M] () -- C:\Documents and Settings\flabuski\ntuser.pol
[2010/05/24 11:08:18 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/19 07:37:14 | 000,063,078 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\1236716522810.jpg
[2010/05/19 07:35:44 | 000,019,870 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\scheibe.jpg
[2010/05/18 20:37:18 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/17 11:15:26 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit Ear BOM_051710.xls

========== Files Created - No Company Name ==========

[2010/06/14 11:56:33 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/14 09:06:01 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/14 08:55:57 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/06/14 08:54:52 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/11 05:33:10 | 000,181,860 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit-samples-1-130510 Quote.pdf
[2010/06/11 05:28:23 | 000,109,194 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\PLCM Rabbit -1A-8Jun10.pdf
[2010/06/10 18:14:04 | 000,029,475 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\BUY AIRTIME.pdf
[2010/06/09 09:29:30 | 000,064,797 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Venus_To_Do_List.pdf
[2010/06/08 15:49:25 | 000,012,788 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Venus_To_Do_List.xlsx
[2010/06/08 14:58:48 | 000,031,430 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Document.rtf
[2010/06/07 20:12:18 | 000,376,376 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\receipt.jpg
[2010/06/07 16:15:04 | 000,385,645 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\receipt.pdf
[2010/06/07 08:57:21 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\CCleaner.lnk
[2010/06/07 08:16:43 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\HijackThis.lnk
[2010/06/07 07:33:32 | 000,113,152 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Tom Donegan Tree 2010.xls
[2010/06/06 21:44:12 | 010,363,096 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/03 20:40:52 | 008,950,042 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Swing.gif
[2010/06/03 10:40:46 | 000,432,031 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\3810-26489-001_r1.ai
[2010/06/03 10:40:31 | 000,433,337 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\3810-26491-001_r1.ai
[2010/06/03 10:38:47 | 000,054,037 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Untitled.jpg
[2010/06/03 10:37:34 | 000,509,523 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\3810-26491-001_r1.pdf
[2010/06/03 10:36:35 | 000,514,524 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\3810-26489-001_r1.pdf
[2010/06/03 07:13:02 | 000,003,093 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\image.png
[2010/06/02 15:03:46 | 000,083,334 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Vishay_cable_miniature_STC-32T-2.pdf
[2010/06/02 15:02:27 | 000,174,023 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\GORE_Shielded_Twisted_Pair_Controlled_Impedance_DXN3218.pdf
[2010/06/02 09:25:22 | 000,103,509 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
[2010/06/02 09:25:22 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
[2010/06/02 07:50:18 | 000,103,509 | ---- | C] () -- C:\WINDOWS\hpoins04.dat.temp
[2010/06/02 07:50:18 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat.temp
[2010/05/30 19:43:53 | 000,155,136 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\2010SprFinal.xls
[2010/05/27 15:32:50 | 000,705,233 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\1355-52147-001_rA.pdf
[2010/05/25 14:18:42 | 000,772,608 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\SW3dPS-SPRING TEMPLATE-6.SLDPRT
[2010/05/25 14:18:31 | 000,542,925 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\User Library-SPRING TEMPLATE-6.zip
[2010/05/25 09:20:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\1358-32889-001_X1_Top Cover Grill.zip
[2010/05/24 12:14:21 | 000,103,358 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\DSL356D-AR-F2.2(2010-5-22).pdf
[2010/05/24 11:08:18 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/20 08:05:58 | 000,046,592 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit Ear BOM assembly (2).xls
[2010/05/19 07:37:14 | 000,063,078 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\1236716522810.jpg
[2010/05/19 07:35:41 | 000,019,870 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\scheibe.jpg
[2010/05/17 07:53:41 | 000,046,592 | ---- | C] () -- C:\Documents and Settings\flabuski\Desktop\Rabbit Ear BOM_051710.xls
[2010/04/27 22:26:02 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2010/04/27 22:26:02 | 000,000,177 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2010/02/05 09:41:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/10/28 11:19:12 | 000,000,617 | ---- | C] () -- C:\WINDOWS\System32\NTS5CSET.INI
[2009/10/28 11:05:32 | 000,000,321 | ---- | C] () -- C:\WINDOWS\IH0DTG.INI
[2009/10/27 13:30:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2009/10/27 10:34:07 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/21 11:34:21 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/21 11:34:21 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/21 11:34:20 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/21 11:34:17 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/21 11:34:13 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2008/10/08 14:58:19 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2008/04/14 08:00:00 | 000,013,576 | ---- | C] () -- C:\WINDOWS\System32\syscorecfg256.dll
[2007/08/21 20:46:34 | 000,059,160 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2004/04/23 15:17:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\System32\uninstall.ini

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/10/22 16:31:20 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/10/22 16:31:20 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/10/22 16:31:20 | 000,913,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2008/04/14 08:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2008/04/14 08:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2008/04/14 08:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2008/04/14 08:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2008/04/14 08:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2008/04/14 08:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2008/04/14 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2008/04/14 08:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2008/04/14 08:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2008/04/14 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/14 08:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/14 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/14 08:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/14 08:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/14 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/14 08:00:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 09:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2009/10/22 21:05:45 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/10/30 08:16:33 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/01/28 21:29:35 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/22 17:22:35 | 000,004,335 | ---- | M] () -- C:\CFDesign_Installation.txt
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2009/10/22 21:05:45 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/10/12 02:33:08 | 003,573,760 | ---- | M] () -- C:\EVClient_en.msi
[2009/10/22 21:05:45 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[1999/11/24 16:50:02 | 000,163,840 | ---- | M] (Microsoft, Ruud van Velsen) -- C:\KIX32.EXE
[1999/09/01 15:00:00 | 000,047,104 | ---- | M] () -- C:\KX16.DLL
[1999/09/01 15:00:00 | 000,032,768 | ---- | M] (Microsoft, Ruud van Velsen) -- C:\KX32.DLL
[2010/06/14 13:57:38 | 006,149,617 | ---- | M] () -- C:\ModelServerService.log
[2009/10/22 21:05:45 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2002/01/05 04:40:20 | 000,487,424 | ---- | M] (Microsoft Corporation) -- C:\msvcp70.dll
[2002/01/05 04:37:28 | 000,344,064 | ---- | M] (Microsoft Corporation) -- C:\msvcr70.dll
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/14 09:12:40 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2009/11/05 13:20:31 | 001,162,776 | ---- | M] () -- C:\Polycom_Global_Q209.msi
[2010/03/09 12:00:52 | 000,004,365 | ---- | M] () -- C:\pstfile3.txt
[2009/11/20 12:28:22 | 000,087,725 | ---- | M] () -- C:\ptcsetup.bak
[2010/01/22 08:22:34 | 000,015,048 | ---- | M] () -- C:\ptcsetup.log
[2009/12/23 12:14:40 | 000,487,940 | ---- | M] () -- C:\vcredist_x86.log

< %PROGRAMFILES%\*. >
[2009/11/12 10:42:29 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/04/27 22:30:10 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe Type Manager
[2009/10/27 13:54:51 | 000,000,000 | ---D | M] -- C:\Program Files\AGEIA Technologies
[2009/12/22 08:34:31 | 000,000,000 | ---D | M] -- C:\Program Files\Alibre Design
[2010/01/03 19:46:52 | 000,000,000 | ---D | M] -- C:\Program Files\Apoint
[2009/10/28 14:49:10 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/10/27 09:30:54 | 000,000,000 | ---D | M] -- C:\Program Files\BigFix Enterprise
[2010/05/24 10:57:03 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/11/09 09:18:51 | 000,000,000 | ---D | M] -- C:\Program Files\Bunkspeed
[2010/06/07 08:57:13 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/06/14 09:13:00 | 000,000,000 | ---D | M] -- C:\Program Files\CFdesign 2010
[2009/11/16 15:00:42 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010/06/10 05:11:16 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/10/22 21:01:02 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/12/23 12:17:00 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2009/12/23 16:08:32 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2010/03/23 08:14:52 | 000,000,000 | ---D | M] -- C:\Program Files\Dimension
[2010/01/29 14:55:47 | 000,000,000 | ---D | M] -- C:\Program Files\eMusic Download Manager
[2009/10/27 09:30:47 | 000,000,000 | ---D | M] -- C:\Program Files\Enterprise Vault
[2010/06/08 15:01:30 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/03/03 12:20:44 | 000,000,000 | ---D | M] -- C:\Program Files\GoldWave
[2010/06/14 08:56:14 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/10/28 08:58:48 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/04/27 22:26:10 | 000,000,000 | ---D | M] -- C:\Program Files\ImageServer
[2010/02/17 16:20:32 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/10/27 07:46:38 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2009/11/28 01:05:26 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/05/24 11:06:49 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/05/24 11:08:16 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2009/11/23 15:30:58 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/10/27 19:13:08 | 000,000,000 | ---D | M] -- C:\Program Files\JoshMadison
[2010/05/07 04:56:02 | 000,000,000 | ---D | M] -- C:\Program Files\Juniper Networks
[2009/10/27 09:42:20 | 000,000,000 | ---D | M] -- C:\Program Files\LANDesk
[2010/06/14 08:55:01 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2009/10/27 19:02:59 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2010/06/07 08:33:43 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/27 10:03:18 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee
[2009/10/23 08:26:00 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/18 22:55:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/10/22 21:06:13 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/02/16 10:53:10 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/04/28 22:22:50 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office Communicator
[2010/06/04 19:09:14 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/10/27 10:20:16 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2009/10/27 13:39:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 8
[2009/11/22 23:34:25 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2009/10/27 13:38:49 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/03/11 06:39:11 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/06/02 14:04:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/10/27 13:17:04 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009/10/27 13:44:24 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/10/22 20:59:49 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/10/22 21:00:32 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/10/27 18:58:01 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/10/22 21:02:56 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/10/22 21:00:45 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 16:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/04/27 22:26:47 | 000,000,000 | ---D | M] -- C:\Program Files\PhotoDeluxe HE 3.1
[2010/02/17 16:20:33 | 000,000,000 | ---D | M] -- C:\Program Files\Polycom
[2009/11/17 11:15:25 | 000,000,000 | ---D | M] -- C:\Program Files\ProductViewExpress
[2009/11/12 20:38:23 | 000,000,000 | ---D | M] -- C:\Program Files\proeWildfire 2.0
[2010/04/06 08:11:16 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/10/27 13:10:52 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2009/10/29 07:59:18 | 000,000,000 | ---D | M] -- C:\Program Files\Robocopy
[2010/02/08 09:39:00 | 000,000,000 | ---D | M] -- C:\Program Files\Safari
[2009/10/22 22:31:01 | 000,000,000 | ---D | M] -- C:\Program Files\Sigmatel
[2009/12/10 09:22:56 | 000,000,000 | ---D | M] -- C:\Program Files\SkyGolf
[2010/03/23 08:44:51 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2010/04/19 12:43:19 | 000,000,000 | ---D | M] -- C:\Program Files\Soft Gold
[2010/03/25 21:38:46 | 000,000,000 | ---D | M] -- C:\Program Files\SolidWorks Corp
[2010/03/31 13:10:57 | 000,000,000 | ---D | M] -- C:\Program Files\Spekan Purge Tool
[2010/01/28 17:19:37 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2010/04/13 08:01:17 | 000,000,000 | ---D | M] -- C:\Program Files\TurboTax
[2009/10/22 21:16:17 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/12/02 03:50:23 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/03/29 12:14:16 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2009/11/18 16:06:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/11/18 16:06:20 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/10/22 21:00:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/10/22 21:03:39 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/10/27 15:46:01 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2009/10/27 15:43:56 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2009/10/22 21:06:13 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2010/01/06 22:05:49 | 000,038,518 | ---- | M] () -- C:\Documents and Settings\flabuski\Application Data\Comma Separated Values (DOS).ADR
[2010/01/09 19:13:02 | 000,038,522 | ---- | M] () -- C:\Documents and Settings\flabuski\Application Data\Comma Separated Values (Windows).ADR
[2009/10/22 16:33:06 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\flabuski\Application Data\desktop.ini
[2009/10/27 19:12:32 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\flabuski\Application Data\setup_ldm.iss


< MD5 for: AGP440.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2008/07/21 01:44:44 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\Dell\Intel\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVGTS.SYS >
[2008/01/21 14:15:22 | 000,102,400 | ---- | M] (NVIDIA Corporation) MD5=A0B3F3A5049931657164F0FFCF0B208E -- C:\WINDOWS\Dell\NVidia\nvgts.sys

< MD5 for: NVRD32.SYS >
[2008/01/21 14:15:22 | 000,128,000 | ---- | M] (NVIDIA Corporation) MD5=C9128FE14E5C1E55710781B5C276F2ED -- C:\WINDOWS\Dell\NVidia\nvrd32.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2007/02/10 02:06:00 | 000,100,096 | ---- | M] (LSI Logic) MD5=A42F863305943869BA00A613C8EE8C7E -- C:\WINDOWS\Dell\LSI\symmpi.sys

< MD5 for: USBSTOR.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-04 16:21:55
< End of report >

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 14th June 2010, 6:15 pm

extras.txt


OTL Extras logfile created on: 6/14/2010 1:54:02 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\flabuski\My Documents\My Downloads\OTL
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 44.65 Gb Free Space | 39.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 770.21 Gb Total Space | 428.54 Gb Free Space | 55.64% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive Q: | 300.00 Gb Total Space | 258.83 Gb Free Space | 86.28% Space Free | Partition Type: NTFS
Drive V: | 273.40 Gb Total Space | 19.20 Gb Free Space | 7.02% Space Free | Partition Type: NTFS
Drive X: | 135.62 Gb Total Space | 4.01 Gb Free Space | 2.95% Space Free | Partition Type: NTFS
Drive Y: | 135.04 Gb Total Space | 82.08 Gb Free Space | 60.78% Space Free | Partition Type: NTFS

Computer Name: CRACKER2
Current User Name: flabuski
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\LANDesk\LDCLient\AdvanceAgent.exe" = C:\Program Files\LANDesk\LDCLient\AdvanceAgent.exe:*:Enabled:LANDesk Advance Agent -- File not found
"C:\WINDOWS\system32\cba\pds.exe" = C:\WINDOWS\system32\cba\pds.exe:*:Enabled:LANDesk Ping Discovery Service -- (LANDesk Software Ltd.)
"C:\WINDOWS\system32\msgsys.exe" = C:\WINDOWS\system32\msgsys.exe:*:Enabled:LANDesk Message Service -- (LANDesk Software Ltd.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Dimension\CatalystEX 4.0\nt\CatalystEX.exe" = C:\Program Files\Dimension\CatalystEX 4.0\nt\CatalystEX.exe:*:Enabled:CatalystEX -- (Stratasys, Inc.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\SkyGolf\SkyCaddie Desktop\SkyCaddieDesktop.exe" = C:\Program Files\SkyGolf\SkyCaddie Desktop\SkyCaddieDesktop.exe:*:Enabled:SkyCaddie Desktop -- (Skyhawke Technologies)
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Office Communicator -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Dimension\CatalystEX 4.1\nt\CatalystEX.exe" = C:\Program Files\Dimension\CatalystEX 4.1\nt\CatalystEX.exe:*:Enabled:CatalystEX -- (Stratasys, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Dimension\CatalystEX 4.0\nt\CatalystEX.exe" = C:\Program Files\Dimension\CatalystEX 4.0\nt\CatalystEX.exe:*:Enabled:CatalystEX -- (Stratasys, Inc.)
"C:\Program Files\proeWildfire 2.0\i486_nt\nms\nmsd.exe" = C:\Program Files\proeWildfire 2.0\i486_nt\nms\nmsd.exe:*:Enabled:nmsd -- (PTC)
"C:\Program Files\proeWildfire 2.0\i486_nt\obj\pro_comm_msg.exe" = C:\Program Files\proeWildfire 2.0\i486_nt\obj\pro_comm_msg.exe:*:Enabled:pro_comm_msg -- (PTC)
"C:\Program Files\proeWildfire 2.0\i486_nt\obj\xtop.exe" = C:\Program Files\proeWildfire 2.0\i486_nt\obj\xtop.exe:*:Enabled:xtop -- (PTC)
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Disabled:Microsoft Office Communicator 2007 R2 -- (Microsoft Corporation)
"C:\Program Files\CFdesign 2010\SMPD.EXE" = C:\Program Files\CFdesign 2010\SMPD.EXE:*:Enabled:Process manager service for MPICH2 applications -- (Microsoft Corporation)
"C:\Program Files\Polycom\Polycom CMA Desktop\vvsys.exe" = C:\Program Files\Polycom\Polycom CMA Desktop\vvsys.exe:*:Enabled:Polycom CMA Desktop Media Engine -- (Polycom, Inc.)
"C:\Program Files\SolidWorks Corp\SolidWorks\SLDWORKS.exe" = C:\Program Files\SolidWorks Corp\SolidWorks\SLDWORKS.exe:*:Enabled:SldWorks -- (Dassault Systèmes SolidWorks Corp.)
"C:\Program Files\SolidWorks Corp\SolidWorks (2)\SLDWORKS.exe" = C:\Program Files\SolidWorks Corp\SolidWorks (2)\SLDWORKS.exe:*:Enabled:SldWorks -- (Dassault Systèmes SolidWorks Corp.)
"C:\Program Files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSMonitor.exe" = C:\Program Files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSMonitor.exe:*:Enabled:Network Monitor -- (Dassault Systèmes SolidWorks Corp.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{04DD2EE7-31BB-4186-9A30-447283BC26F8}" = HyperShot
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{06379784-4648-46BF-9426-0B10817F0AF5}" = PhotoView 360
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}" = Microsoft Office Communicator 2007 R2
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{15041B8B-AC63-41DF-91D2-2118CE39E8D9}" = SolidWorks Flow Simulation 2010 SP0
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{23970E31-948B-466E-8376-1224D32FDF0C}" = Convert
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2B639907-BE5A-44FC-BB6E-0DF466241015}" = People+Content IP
"{2D8D14CC-5B31-44B9-87FC-BEC3D8AFFD1D}" = SolidWorks Explorer 2010 SP02.1
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{325CC540-F105-4074-BFC0-B8E26BFFE1D5}" = SolidWorks Explorer 2009 sp0
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3556AF72-0B56-4B2E-8632-0BA8C70F531A}" = CatalystEX 4.1
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{395AD660-EAA2-012B-ADE3-000000000000}" = TurboTax 2009 wmaiper
"{39A96B90-EAA2-012B-ADF7-000000000000}" = TurboTax 2009 wmeiper
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4675C3C6-9140-4ABC-8326-E2A43F0B3735}" = PTC ProductView Express - Wildfire 2.0 (M280)
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D859FC3-59F5-4EC7-BD03-E6D73DB8C7BD}" = Polycom CMA Desktop
"{4FC37BE8-C605-485B-ADFF-C4AB46A8B7B1}" = LANDesk Advance Agent
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56DCD20A-E558-4396-AF59-14D15AA737BB}" = DWGeditor
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736D2DAD-3D87-4CAA-8646-83D238AD68E0}" = PhotoView 360
"{78F5131C-7C4F-49AA-AA32-B7B42E941BCF}" = SolidWorks 2009 SP04.1
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8CE08C3C-8FF4-45D9-925E-4F3CE2D7FA7D}" = Adobe Setup
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRJPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRJPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{9E73617F-2F38-4864-BD61-BB2DDFE43323}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRJPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJPRO_{27A9D316-D332-433B-8EB1-1D93EE49F26D}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRJPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{9151471B-94D0-49A6-827E-6841E8DC9AF9}" = CFdesign 2010
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{961034C0-58DF-11DF-97FD-005056806466}" = Google Earth Plug-in
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2C8E5C2-B95B-465F-AAAB-B6E0FAF62BC3}" = CatalystEX 4.0.1
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A786161E-959C-4B4B-AA6D-7424C13CCCF2}" = SolidWorks eDrawings 2010
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC388C78-2619-452C-BFBE-FABCC3194387}" = Microsoft Office Live Meeting 2007
"{AC76BA86-1033-0000-BA7E-000000000004}" = Adobe Acrobat 9 Standard
"{AC76BA86-1033-0000-BA7E-000000000004}_932" = Adobe Acrobat 9.3.2 - CPSID_53951
"{AC76BA86-1033-0000-BA7E-000000000004}{AC76BA86-1033-0000-BA7E-000000000004}" = Adobe Acrobat 9 Standard
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AF2066F6-7C57-46A1-A306-077EBBFC7B2B}" = SolidWorks 2010 SP02.1
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B639A4DE-A375-47D3-89C3-DDCF98D992F7}" = McAfee Agent
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BF7023BC-319B-4FE1-B569-C854A19F81F8}" = BigFix Enterprise Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCF5961B-EBAF-4A34-8BE0-02CA2B19103B}" = Symantec Enterprise Vault Outlook Add-In
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D481EA96-2313-4A7C-98EE-710D1AF884AC}" = Microsoft Visual Studio 2005 Tools for Applications - ENU
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe Extendscript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF66E173-B9DE-4803-8C88-9E85B083497A}" = Alibre Design
"ABViewer 7_is1" = ABViewer 7
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Type Manager 4.0" = Adobe Type Manager 4.0
"Adobe_2a31ae7a5c43ff52d8577782dd34e04" = Adobe Illustrator CS4
"CCleaner" = CCleaner
"eMusic Download Manager" = eMusic Download Manager 4.1.4
"ESET Online Scanner" = ESET Online Scanner v3
"GoldWave v5.25" = GoldWave v5.25
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"Juniper Network Connect 6.3.0" = Juniper Networks Network Connect 6.3.0
"Juniper Network Connect 6.4.0" = Juniper Networks Network Connect 6.4.0
"Juniper Network Connect 6.5.0" = Juniper Networks Network Connect 6.5.0
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Microsoft Visual Studio 2005 Tools for Applications - ENU" = Microsoft Visual Studio 2005 Tools for Applications - ENU
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PRJPRO" = Microsoft Office Project Professional 2007
"ProInst" = Intel(R) PROSet/Wireless Software
"PROPLUS" = Microsoft Office Professional Plus 2007
"SkyCaddieDesktop" = SkyCaddie Desktop
"SLABCOMM" = CP2101 USB to UART Bridge Controller
"SolidWorks Installation Manager 20090-40000-1100-200" = SolidWorks 2009 SP0
"SolidWorks Installation Manager 20090-40401-1100-200" = SolidWorks 2009 SP04.1
"SolidWorks Installation Manager 20100-40000-1100-200" = SolidWorks 2010 SP0
"SolidWorks Installation Manager 20100-40201-1100-200" = SolidWorks 2010 SP02.1
"TurboTax 2009" = TurboTax 2009
"Tweak UI 2.10" = Tweak UI
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VISPRO" = Microsoft Office Visio Professional 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"GoToMeeting" = GoToMeeting 4.0.0.320
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Move Media Player" = Move Media Player
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/11/2010 3:29:30 PM | Computer Name = CRACKER2 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 6/11/2010 3:29:40 PM | Computer Name = CRACKER2 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 6/11/2010 3:30:46 PM | Computer Name = CRACKER2 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for ANDOVER\flabuski failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 6/11/2010 3:32:17 PM | Computer Name = CRACKER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/11/2010 3:32:18 PM | Computer Name = CRACKER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/14/2010 6:56:58 AM | Computer Name = CRACKER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 6/14/2010 6:56:58 AM | Computer Name = CRACKER2 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/14/2010 7:57:55 AM | Computer Name = CRACKER2 | Source = nview_info | ID = 11141121
Description =

Error - 6/14/2010 7:58:00 AM | Computer Name = CRACKER2 | Source = nview_info | ID = 11141121
Description =

Error - 6/14/2010 8:56:36 AM | Computer Name = CRACKER2 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 6/14/2010 7:53:55 AM | Computer Name = CRACKER2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/14/2010 7:53:55 AM | Computer Name = CRACKER2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/14/2010 7:55:01 AM | Computer Name = CRACKER2 | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{FA2EA95A-73DD-4976-A549-64EB922A3173}
because another computer on the network has the same name. The server could not
start.

Error - 6/14/2010 8:09:02 AM | Computer Name = CRACKER2 | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 6/14/2010 8:09:24 AM | Computer Name = CRACKER2 | Source = DCOM | ID = 10010
Description = The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register
with DCOM within the required timeout.

Error - 6/14/2010 8:11:02 AM | Computer Name = CRACKER2 | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 6/14/2010 9:12:52 AM | Computer Name = CRACKER2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/14/2010 9:12:52 AM | Computer Name = CRACKER2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/14/2010 9:13:46 AM | Computer Name = CRACKER2 | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{FA2EA95A-73DD-4976-A549-64EB922A3173}
because another computer on the network has the same name. The server could not
start.

Error - 6/14/2010 1:38:49 PM | Computer Name = CRACKER2 | Source = NetBT | ID = 4320
Description = Another machine has sent a name release message to this machine probably
because
a duplicate name has been detected on the TCP network. The IP address of the node
that sent the message is in the data. Use nbtstat -n in a command window to see
which name is in the Conflict state.


< End of report >

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 15th June 2010, 12:45 am

GMER

Note about this tool:
  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.


Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 15th June 2010, 5:30 pm

it seemed to scan fine.........it actually blue screened on me after I closed teh program and tried to open the log file.

Anyway.....here it is. (in three parts)

Thanks!


Part 1

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-15 12:34:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\flabuski\LOCALS~1\Temp\uwryqpob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA8F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA8F8BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xBA5B2662]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xBA5B2610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xBA5B2624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA5B26A2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xBA5B25D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xBA5B25E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBA5B2676]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xBA5B264E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBA5B263A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBA5B26D1]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA5B26B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA5B268C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP BA5B2690 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP BA5B2666 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP BA5B26A6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP BA5B26BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP BA5B267A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP BA5B25D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP BA5B25EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP BA5B263E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP BA5B2628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP BA5B2614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP BA5B2652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP BA5B26D5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB89C9380, 0x22091D, 0xE8000020]
.text autochk.exe 010011C4 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text autochk.exe 010011CC 1 Byte [00]
.text autochk.exe 010011D0 1 Byte [00]
.text autochk.exe 010011D4 2 Bytes [00, 00] {ADD [EAX], AL}
.text autochk.exe 010011D8 2 Bytes [00, 00] {ADD [EAX], AL}
.text ...
.text comctl32.dll!DllGetVersion + FFF96ACE 773D1679 41 Bytes [78, 42, 7E, C4, 29, 43, 7E, ...]
.text comctl32.dll!DllGetVersion + FFF97189 773D1D34 3 Bytes [65, 00, 72]
.text comctl32.dll!DllGetVersion + FFF9718D 773D1D38 3 Bytes [73, 00, 69]
.text comctl32.dll!DllGetVersion + FFF97191 773D1D3C 3 Bytes [6F, 00, 6E]
.text comctl32.dll!DllGetVersion + FFF97195 773D1D40 3 Bytes [5C, 00, 46]
.text ...
.text comctl32.dll!InitCommonControlsEx + 8B 773D36A4 326 Bytes [98, A7, 50, 9C, 90, 5D, 30, ...]
.text comctl32.dll!InitCommonControlsEx + 1D2 773D37EB 7 Bytes [40, 89, B3, 32, 8F, 2F, E6] {INC EAX; MOV [EBX-0x19d070ce], ESI}
.text comctl32.dll!InitCommonControlsEx + 1DA 773D37F3 141 Bytes CALL B78A5108
.text comctl32.dll!InitCommonControlsEx + 268 773D3881 268 Bytes [FB, D2, C7, 61, 79, 46, 98, ...]
.text comctl32.dll!InitCommonControlsEx + 375 773D398E 112 Bytes [4B, 50, D1, 0D, 64, 6E, 02, ...]
.text ...
.text comctl32.dll!DefSubclassProc + 5C 773D5FFA 24 Bytes [8B, 45, A0, 5F, 5E, 5B, C9, ...]
.text comctl32.dll!DefSubclassProc + 75 773D6013 13 Bytes [75, 08, FF, 15, B8, 13, 3D, ...]
.text comctl32.dll!DefSubclassProc + 83 773D6021 50 Bytes [74, 49, 21, 5D, F8, 21, 5D, ...]
.text comctl32.dll!DefSubclassProc + B6 773D6054 122 Bytes [15, FC, 13, 3D, 77, 6A, 00, ...]
.text comctl32.dll!DefSubclassProc + 131 773D60CF 11 Bytes [EC, 81, EC, F8, 01, 00, 00, ...]
.text ...
.text comctl32.dll!RemoveWindowSubclass + 46 773D623A 21 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text comctl32.dll!RemoveWindowSubclass + 5C 773D6250 31 Bytes [80, FF, 15, 50, 12, 3D, 77, ...]
.text comctl32.dll!RemoveWindowSubclass + 7C 773D6270 79 Bytes [75, 08, FF, 35, 00, 25, 46, ...]
.text comctl32.dll!RemoveWindowSubclass + CC 773D62C0 115 Bytes [08, 8B, 50, 04, 89, 10, 8B, ...]
.text comctl32.dll!RemoveWindowSubclass + 140 773D6334 8 Bytes [55, 8B, EC, 53, 56, 57, FF, ...]
.text ...
.text comctl32.dll!SetWindowSubclass + 4E 773D63B8 32 Bytes [00, 00, 56, 57, FF, 75, 08, ...]
.text comctl32.dll!SetWindowSubclass + 6F 773D63D9 9 Bytes [FF, 15, 7C, 10, 3D, 77, 3B, ...]
.text comctl32.dll!SetWindowSubclass + 79 773D63E3 53 Bytes [FC, 75, 09, 57, FF, 15, 5C, ...]
.text comctl32.dll!SetWindowSubclass + AF 773D6419 53 Bytes [D7, 56, FF, 75, 0C, E8, 96, ...]
.text comctl32.dll!SetWindowSubclass + E5 773D644F 15 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
.text ...
.text comctl32.dll!InitCommonControls + 19 773D65E8 249 Bytes [00, 00, 8B, 0B, 8B, 53, 08, ...]
.text comctl32.dll!InitCommonControls + 113 773D66E2 7 Bytes [C9, 74, 09, 88, 0A, 42, 46] {LEAVE ; JZ 0xc; MOV [EDX], CL; INC EDX; INC ESI}
.text comctl32.dll!InitCommonControls + 11B 773D66EA 7 Bytes [4D, 0C, 75, F1, 83, 7D, 0C]
.text comctl32.dll!InitCommonControls + 123 773D66F2 11 Bytes [5E, 75, 06, 4A, B8, 7A, 00, ...]
.text comctl32.dll!InitCommonControls + 12F 773D66FE 2 Bytes [5D, C2]
.text ...
.text comctl32.dll!DPA_InsertPtr + 28 773D68A4 20 Bytes [77, F7, D8, 1B, C0, 40, 5D, ...]
.text comctl32.dll!DPA_InsertPtr + 3D 773D68B9 30 Bytes [45, 08, 6A, 00, FF, 75, 0C, ...]
.text comctl32.dll!DPA_InsertPtr + 5C 773D68D8 15 Bytes [55, 8B, EC, 8B, 45, 08, F6, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; TEST BYTE [EAX+0x18], 0x20; JNZ 0x24; PUSH DWORD [EBP+0x14]}
.text comctl32.dll!DPA_InsertPtr + 6C 773D68E8 40 Bytes [75, 10, FF, 75, 0C, FF, 15, ...]
.text comctl32.dll!DPA_InsertPtr + 96 773D6912 25 Bytes [A1, E0, 23, 46, 77, 53, 56, ...]
.text ...
.text comctl32.dll!DPA_Destroy + 44 773D6B0C 79 Bytes [46, 18, 8B, 4E, 14, 8B, 56, ...]
.text comctl32.dll!DPA_Destroy + 94 773D6B5C 1 Byte [55]
.text comctl32.dll!DPA_Destroy + 94 773D6B5C 76 Bytes [55, 8B, EC, 83, EC, 18, 56, ...]
.text comctl32.dll!DPA_Destroy + E1 773D6BA9 50 Bytes [75, 18, FF, 75, 08, FF, 15, ...]
.text comctl32.dll!DPA_Destroy + 188 773D6C50 122 Bytes [35, 40, 2A, 46, 77, 8D, 45, ...]
.text ...
.text comctl32.dll!DSA_GetItemPtr + 2D 773D8639 56 Bytes [F0, FF, 15, 70, 14, 3D, 77, ...]
.text comctl32.dll!DSA_GetItemPtr + 66 773D8672 28 Bytes [C6, 5E, 5D, C2, 18, 00, CC, ...]
.text comctl32.dll!DSA_GetItemPtr + 83 773D868F 60 Bytes [75, 08, FF, 15, 24, 14, 3D, ...]
.text comctl32.dll!DSA_GetItemPtr + C0 773D86CC 45 Bytes [00, 00, 8B, 4D, 0C, 89, 11, ...]
.text comctl32.dll!DSA_GetItemPtr + EE 773D86FA 43 Bytes [08, 74, 06, F6, 45, 10, 02, ...]
.text ...
.text comctl32.dll!DSA_Destroy + 2 773D9CC6 138 Bytes [75, F4, FF, 15, EC, 11, 3D, ...]
.text comctl32.dll!DSA_Destroy + 8D 773D9D51 33 Bytes [30, 84, E4, 79, 11, A9, 00, ...]
.text comctl32.dll!DSA_Destroy + AF 773D9D73 65 Bytes [00, 10, 00, 75, 0A, 8B, 76, ...]
.text comctl32.dll!DSA_Destroy + F3 773D9DB7 68 Bytes [57, 57, 8B, 3D, FC, 13, 3D, ...]
.text comctl32.dll!DSA_Destroy + 139 773D9DFD 6 Bytes [76, 40, 56, E8, A9, E9]
.text ...
.text comctl32.dll!DSA_Create + B 773DB17C 35 Bytes [35, 0C, 2A, 46, 77, E8, D5, ...]
.text comctl32.dll!DSA_InsertItem + 2 773DB1A0 67 Bytes [FF, B5, 14, FD, FF, FF, E8, ...]
.text comctl32.dll!DSA_InsertItem + 46 773DB1E4 46 Bytes [FF, 01, 00, 00, 00, F6, 43, ...]
.text comctl32.dll!DSA_InsertItem + 75 773DB213 11 Bytes [12, FF, B5, 18, FD, FF, FF, ...]
.text comctl32.dll!DSA_InsertItem + 81 773DB21F 53 Bytes [FF, FF, 8D, 18, FD, FF, FF, ...]
.text comctl32.dll!DSA_InsertItem + B7 773DB255 6 Bytes [FF, D0, 8D, 85, FC, FC]
.text ...
.text comctl32.dll!ImageList_SetBkColor + 2 773DB66E 17 Bytes [FF, 2B, 85, 10, FD, FF, FF, ...]
.text comctl32.dll!ImageList_SetBkColor + 14 773DB680 34 Bytes [FF, EB, 0B, A1, 0C, 2A, 46, ...]
.text comctl32.dll!ImageList_SetBkColor + 37 773DB6A3 38 Bytes [15, C8, 14, 3D, 77, 8D, 8D, ...]
.text comctl32.dll!ImageList_SetBkColor + 5E 773DB6CA 27 Bytes [8B, 8D, 10, FD, FF, FF, 8D, ...]
.text comctl32.dll!ImageList_SetBkColor + 7A 773DB6E6 39 Bytes [85, 60, FC, FF, FF, 3B, 85, ...]
.text ...
.text comctl32.dll!ImageList_DrawIndirect + 31 773DC305 80 Bytes [50, FF, 15, AC, 24, 46, 77, ...]
.text comctl32.dll!ImageList_DrawIndirect + 82 773DC356 73 Bytes [D7, F6, 46, 0A, 02, 75, 0A, ...]
.text comctl32.dll!ImageList_DrawIndirect + CC 773DC3A0 41 Bytes [85, C0, 74, 03, 50, FF, D7, ...]
.text comctl32.dll!ImageList_DrawIndirect + 135 773DC409 98 Bytes [00, 39, 7E, 38, 0F, 84, F5, ...]
.text comctl32.dll!ImageList_DrawIndirect + 198 773DC46C 16 Bytes [74, 14, 3D, D9, FD, FF, FF, ...]
.text ...
.text comctl32.dll!ImageList_ReplaceIcon + A 773DC7FE 30 Bytes [15, 6C, 14, 3D, 77, 6A, 01, ...]
.text comctl32.dll!ImageList_ReplaceIcon + 2A 773DC81E 1 Byte [B8]
.text comctl32.dll!ImageList_ReplaceIcon + 2A 773DC81E 42 Bytes [B8, FF, 15, FC, 13, 3D, 77, ...]
.text comctl32.dll!ImageList_ReplaceIcon + 55 773DC849 74 Bytes [74, 3D, 77, 53, 57, 56, E8, ...]
.text comctl32.dll!ImageList_ReplaceIcon + A0 773DC894 2 Bytes CALL 77423F56 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text ...
.text comctl32.dll!ImageList_GetImageCount + 16 773DD58E 25 Bytes [7E, 39, 8B, 7D, 10, 8D, 48, ...]
.text comctl32.dll!ImageList_GetImageCount + 30 773DD5A8 6 Bytes [C2, 39, 01, 74, 09, C7]
.text comctl32.dll!ImageList_GetImageCount + 38 773DD5B0 3 Bytes [01, 00, 00]
.text comctl32.dll!ImageList_GetImageCount + 3C 773DD5B4 5 Bytes [89, 01, FF, 45, 08] {MOV [ECX], EAX; INC DWORD [EBP+0x8]}
.text comctl32.dll!ImageList_GetImageCount + 42 773DD5BA 87 Bytes [5D, 0C, 83, C1, 20, 83, C7, ...]
.text ...
.text comctl32.dll!ImageList_GetIconSize + 1E 773DE358 24 Bytes [15, 24, 12, 3D, 77, 8B, F0, ...]
.text comctl32.dll!ImageList_GetIconSize + 37 773DE371 22 Bytes [57, 74, 0A, FF, 75, 14, 56, ...]
.text comctl32.dll!ImageList_GetIconSize + 4E 773DE388 13 Bytes [F0, 74, 12, 57, FF, 15, EC, ...]
.text comctl32.dll!ImageList_GetIconSize + 5C 773DE396 5 Bytes [74, 03, C6, 06, 00] {JZ 0x5; MOV BYTE [ESI], 0x0}
.text comctl32.dll!ImageList_GetIconSize + 62 773DE39C 25 Bytes [F6, 80, 65, 09, 0F, EB, 23, ...]
.text ...
.text comctl32.dll!DPA_GetPtr + 27 773DE3ED 74 Bytes CALL DFB52103
.text comctl32.dll!DPA_GetPtr + 72 773DE438 139 Bytes [FF, 8B, 86, 80, 00, 00, 00, ...]
.text comctl32.dll!DPA_GetPtr + FE 773DE4C4 44 Bytes [77, 8B, 15, 34, 2A, 46, 77, ...]
.text comctl32.dll!DPA_GetPtr + 12B 773DE4F1 37 Bytes [48, 8B, 45, FC, 2B, 45, F4, ...]
.text comctl32.dll!DPA_GetPtr + 151 773DE517 131 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...]
.text ...
.text comctl32.dll!ImageList_Create + AF 773E02B4 52 Bytes [46, 5C, 3B, C7, 74, 0A, 50, ...]
.text comctl32.dll!ImageList_Create + E4 773E02E9 68 Bytes [8B, 5D, 0C, 83, FB, 01, 0F, ...]
.text comctl32.dll!ImageList_Create + 129 773E032E 14 Bytes CALL FAB0773B
.text comctl32.dll!ImageList_Create + 159 773E035E 95 Bytes [7D, 14, F4, 0F, 85, DF, 03, ...]
.text comctl32.dll!ImageList_Create + 1B9 773E03BE 68 Bytes [8B, 46, 58, 3B, C7, 74, 0A, ...]
.text comctl32.dll!ImageList_Destroy + 2B 773E0403 100 Bytes [FF, 15, 28, 14, 3D, 77, E9, ...]
.text comctl32.dll!ImageList_Destroy + 90 773E0468 24 Bytes [2C, 0A, 00, 00, 00, 89, 7E, ...]
.text comctl32.dll!ImageList_Destroy + A9 773E0481 138 Bytes CALL B2B54197
.text comctl32.dll!ImageList_Destroy + 134 773E050C 109 Bytes [15, C0, 13, 3D, 77, F6, 46, ...]
.text comctl32.dll!ImageList_Destroy + 1A2 773E057A 79 Bytes [75, F8, 8D, 45, DC, FF, 75, ...]
.text ...
.text comctl32.dll!DPA_DestroyCallback + 8 773E0671 5 Bytes [83, C8, 08, F6, 46]
.text comctl32.dll!DPA_DestroyCallback + E 773E0677 12 Bytes [40, 50, 74, 0F, 68, 14, 01, ...] {INC EAX; PUSH EAX; JZ 0x13; PUSH 0x114; PUSH DWORD [ESI+0x4]}
.text comctl32.dll!DPA_DestroyCallback + 2E 773E0697 47 Bytes [0F, 50, FF, 15, 80, 14, 3D, ...]
.text comctl32.dll!DPA_EnumCallback + 23 773E06C7 25 Bytes [15, 78, 14, 3D, 77, 8B, 45, ...]
.text comctl32.dll!ImageList_Remove + 2 773E06E1 100 Bytes [2B, C7, 0F, 84, CA, 00, 00, ...]
.text comctl32.dll!ImageList_Remove + 67 773E0746 23 Bytes [FF, 75, 14, FF, 75, 10, 53, ...]
.text comctl32.dll!ImageList_Remove + 7F 773E075E 15 Bytes [45, 14, 0F, BF, C8, C1, E8, ...] {INC EBP; ADC AL, 0xf; MOV EDI, 0x10e8c1c8; MOVSX EAX, AX; PUSH ESI; MOV [ESI+0x30], ECX}
.text comctl32.dll!ImageList_Remove + 9D 773E077C 121 Bytes [FF, 83, F8, 0C, 0F, 87, B4, ...]
.text comctl32.dll!ImageList_Remove + 11B 773E07FA 53 Bytes [85, C0, 7E, 02, 8B, DA, 8B, ...]
.text ...
.text comctl32.dll!DPA_Sort + 9 773E0A8C 153 Bytes [4D, 0C, 85, C9, 7F, 03, 33, ...]
.text comctl32.dll!DPA_Sort + A3 773E0B26 48 Bytes [3B, 11, 7D, 0B, 8B, 41, 0C, ...]
.text comctl32.dll!DPA_Sort + D4 773E0B57 197 Bytes [46, 08, 03, CA, 3B, C8, 57, ...]
.text comctl32.dll!DPA_Create + 4C 773E0C1D 6 Bytes [CC, CC, CC, CC, CC, 8B]
.text comctl32.dll!DPA_Create + 53 773E0C24 38 Bytes [55, 8B, EC, 53, 8B, 5D, 0C, ...]
.text comctl32.dll!DPA_Create + 7A 773E0C4B 95 Bytes [8B, 46, 10, 03, C1, 0F, AF, ...]
.text comctl32.dll!DPA_Create + DA 773E0CAB 130 Bytes [75, 10, 50, FF, D7, 83, C4, ...]
.text comctl32.dll!DPA_Create + 15D 773E0D2E 29 Bytes [46, 10, 29, 46, 08, 33, C0, ...]
.text ...
.text comctl32.dll!DPA_DeleteAllPtrs + 4 773E170C 22 Bytes [45, 0C, 89, 45, F0, 8B, 45, ...]
.text comctl32.dll!DPA_DeleteAllPtrs + 1B 773E1723 57 Bytes [C9, C2, 0C, 00, CC, CC, CC, ...]
.text comctl32.dll!DPA_DeleteAllPtrs + 55 773E175D 3 Bytes [FF, 8B, F0]
.text comctl32.dll!DPA_DeleteAllPtrs + 59 773E1761 23 Bytes [F6, 74, 28, FF, 75, 0C, 53, ...]
.text comctl32.dll!DPA_DeleteAllPtrs + 71 773E1779 25 Bytes [74, 0C, 83, F8, FF, 74, 07, ...]
.text ...
.text comctl32.dll!DSA_DestroyCallback + 6 773E1D1C 88 Bytes [FF, FF, 85, C0, 74, 04, 8B, ...]
.text comctl32.dll!DSA_DestroyCallback + 5F 773E1D75 41 Bytes [3B, C7, 74, 27, 89, 38, 2B, ...]
.text comctl32.dll!DSA_DestroyCallback + 89 773E1D9F 15 Bytes [47, 8B, C7, 5E, 5F, 5D, C2, ...]
.text comctl32.dll!DSA_DestroyCallback + 99 773E1DAF 42 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...]
.text comctl32.dll!DSA_DestroyCallback + C4 773E1DDA 2 Bytes [45, 0C]
.text ...
.text comctl32.dll!ImageList_AddMasked + 1A 773E2012 94 Bytes [15, 74, 15, 3D, 77, 85, C0, ...]
.text comctl32.dll!ImageList_AddMasked + 7A 773E2072 10 Bytes [0C, FF, 75, 08, 56, E8, 02, ...] {OR AL, 0xff; JNZ 0xc; PUSH ESI; CALL 0xfffffffffffffe0c}
.text comctl32.dll!ImageList_AddMasked + 85 773E207D 67 Bytes [F8, 5E, 8B, C7, 5F, 5D, C2, ...]
.text comctl32.dll!ImageList_AddMasked + C9 773E20C1 14 Bytes [8D, 45, D4, 50, 56, E8, 06, ...] {LEA EAX, [EBP-0x2c]; PUSH EAX; PUSH ESI; CALL 0xfffffffffffffd10; AND DWORD [EBP-0x4], 0x0}
.text comctl32.dll!ImageList_AddMasked + D8 773E20D0 5 Bytes [75, 14, FF, 75, 10] {JNZ 0x16; PUSH DWORD [EBP+0x10]}
.text ...
.text comctl32.dll!DPA_DeletePtr + 52 773E684C 25 Bytes [08, 53, 8D, 55, 18, 52, 68, ...]
.text comctl32.dll!DPA_DeletePtr + 6C 773E6866 58 Bytes [00, 0F, B7, 4D, 0C, 56, 8B, ...]
.text comctl32.dll!DPA_DeletePtr + A8 773E68A2 36 Bytes [00, FF, 53, 53, 51, 50, FF, ...]
.text comctl32.dll!DPA_DeletePtr + CD 773E68C7 47 Bytes [F8, 08, 7E, 15, 83, CF, 10, ...]
.text comctl32.dll!DPA_DeletePtr + FD 773E68F7 28 Bytes [50, FF, 75, 1C, FF, 75, 18, ...]
.text comctl32.dll!ImageList_DrawEx + 17 773E6914 2 Bytes [8B, CF] {MOV ECX, EDI}
.text comctl32.dll!ImageList_DrawEx + 1E 773E691B 70 Bytes [F7, D8, 1B, C0, F7, D8, 50, ...]
.text comctl32.dll!ImageList_DrawEx + 9A 773E6997 19 Bytes [15, 7C, 10, 3D, 77, 8B, F8, ...]
.text comctl32.dll!ImageList_DrawEx + AE 773E69AB 114 Bytes [CC, 00, 56, 56, FF, 75, 0C, ...]
.text comctl32.dll!ImageList_DrawEx + 121 773E6A1E 6 Bytes [12, 3D, 77, FF, 75, 10] {ADC BH, [0x1075ff77]}
.text ...
.text comctl32.dll!ImageList_GetBkColor + 21 773E84A1 22 Bytes [DA, FF, C6, 45, DB, 01, 88, ...]
.text comctl32.dll!ImageList_GetBkColor + 38 773E84B8 8 Bytes [8B, 46, 14, FF, 76, 1C, 2B, ...]
.text comctl32.dll!ImageList_GetBkColor + 41 773E84C1 3 Bytes [FF, 33, 50] {PUSH DWORD [EBX]; PUSH EAX}
.text comctl32.dll!ImageList_GetBkColor + 45 773E84C5 27 Bytes [46, 10, 2B, 45, 98, 50, FF, ...]
.text comctl32.dll!ImageList_GetBkColor + 61 773E84E1 12 Bytes [75, D0, FF, 15, 64, 10, 3D, ...] {JNZ 0xffffffffffffffd2; CALL [0x773d1064]; OR DWORD [ESI+0x30], 0x1}
.text ...
.text comctl32.dll!DPA_SetPtr + 91 773EC78A 45 Bytes [D7, 83, 7E, 28, 00, 74, 0F, ...]
.text comctl32.dll!DPA_SetPtr + BF 773EC7B8 50 Bytes [10, 5E, 5D, C2, 0C, 00, CC, ...]
.text comctl32.dll!DPA_SetPtr + F2 773EC7EB 39 Bytes [A8, 40, C7, 45, 08, 00, 00, ...]
.text comctl32.dll!DPA_SetPtr + 11A 773EC813 1 Byte [70]
.text comctl32.dll!DPA_SetPtr + 11A 773EC813 113 Bytes [70, 00, 00, FF, 36, FF, 15, ...]
.text ...
.text comctl32.dll!AddMRUStringW + 21 773ED303 19 Bytes [8B, C7, 2D, 0D, 04, 00, 00, ...] {MOV EAX, EDI; SUB EAX, 0x40d; JZ 0x7c; DEC EAX; JZ 0x6e; SUB EAX, 0x1bfd; JZ 0x3a}
.text comctl32.dll!AddMRUStringW + 35 773ED317 16 Bytes [45, FC, 50, FF, 75, 14, FF, ...] {INC EBP; CLD ; PUSH EAX; PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]; PUSH EDI; PUSH ESI; CALL 0xfffffffffffe913d}
.text comctl32.dll!AddMRUStringW + 47 773ED329 34 Bytes [75, 41, FF, 75, 14, FF, 75, ...]
.text comctl32.dll!AddMRUStringW + 6A 773ED34C 40 Bytes [53, FF, 75, 08, FF, D7, 8B, ...]
.text comctl32.dll!AddMRUStringW + 94 773ED376 5 Bytes [14, 56, E8, C8, F3]
.text ...
.text comctl32.dll!Str_SetPtrW + 38 773ED4F1 77 Bytes [FF, 55, 8B, EC, 83, EC, 1C, ...]
.text comctl32.dll!CreateMRUListW + E 773ED53F 94 Bytes CALL BC79DE2F
.text comctl32.dll!CreateMRUListW + 6D 773ED59E 6 Bytes [FC, 33, CA, 2B, CA, 99] {CLD ; XOR ECX, EDX; SUB ECX, EDX; CDQ }
.text comctl32.dll!CreateMRUListW + 74 773ED5A5 185 Bytes [C2, 2B, C2, 3B, C1, 7F, 23, ...]
.text comctl32.dll!CreateMRUListW + 12E 773ED65F 71 Bytes [73, 24, 5E, 89, 43, 20, 5B, ...]
.text comctl32.dll!CreateMRUListW + 176 773ED6A7 94 Bytes [55, 8B, EC, 83, 7D, 0C, 02, ...]
.text ...
.text comctl32.dll!FreeMRUList + 17 773ED75B 95 Bytes CALL F740BDE1
.text comctl32.dll!FreeMRUList + 77 773ED7BB 22 Bytes [85, C0, 5F, 74, 04, 83, 4D, ...]
.text comctl32.dll!FreeMRUList + 8E 773ED7D2 36 Bytes [56, 56, 56, 56, 68, AC, 17, ...]
.text comctl32.dll!FreeMRUList + B3 773ED7F7 269 Bytes [55, 8B, EC, 83, EC, 34, 53, ...]
.text comctl32.dll!FreeMRUList + 1C1 773ED905 10 Bytes [76, 34, FF, 76, 30, 53, 53, ...] {JBE 0x36; PUSH DWORD [ESI+0x30]; PUSH EBX; PUSH EBX; PUSH DWORD [EBP+0x10]}
.text ...
.text comctl32.dll!CreateMappedBitmap + 6D 773ED99E 29 Bytes [EB, 18, A8, 01, 74, 09, C7, ...]
.text comctl32.dll!CreateMappedBitmap + 8C 773ED9BD 2 Bytes [6A, EC] {PUSH -0x14}
.text comctl32.dll!CreateMappedBitmap + 8F 773ED9C0 68 Bytes [75, 08, FF, D6, 68, 00, 00, ...]
.text comctl32.dll!CreateMappedBitmap + 13B 773EDA6C 73 Bytes [15, F0, 13, 3D, 77, 56, FF, ...]
.text comctl32.dll!CreateMappedBitmap + 186 773EDAB7 7 Bytes [76, 49, 81, F9, 15, 02, 00]
.text ...
.text comctl32.dll!EnumMRUListW + 3D 773EDFA7 20 Bytes [15, FC, 13, 3D, 77, 5F, 5E, ...]
.text comctl32.dll!EnumMRUListW + 52 773EDFBC 41 Bytes [EC, 8B, 45, 08, 56, 8B, 70, ...]
.text comctl32.dll!EnumMRUListW + 7C 773EDFE6 62 Bytes [56, FF, 15, FC, 13, 3D, 77, ...]
.text comctl32.dll!ImageList_Draw + 34 773EE025 25 Bytes [D8, 85, DB, 74, 43, 43, 8D, ...]
.text comctl32.dll!ImageList_Draw + 4F 773EE040 135 Bytes [E0, 85, C0, 74, 28, 83, 65, ...]
.text comctl32.dll!ImageList_Draw + D7 773EE0C8 12 Bytes [77, 40, FF, D6, 6A, 00, FF, ...]
.text comctl32.dll!ImageList_Draw + E5 773EE0D6 36 Bytes [FF, 77, 40, FF, D6, E8, 1B, ...]
.text comctl32.dll!ImageList_Draw + 10A 773EE0FB 46 Bytes [C0, 0F, 84, E2, 00, 00, 00, ...]
.text ...
.text comctl32.dll!CreateToolbarEx + 2 773EE56D 72 Bytes [15, B4, 13, 3D, 77, FF, 75, ...]
.text comctl32.dll!CreateToolbarEx + 4B 773EE5B6 58 Bytes [00, 00, FF, 75, F8, FF, 15, ...]
.text comctl32.dll!CreateToolbarEx + 86 773EE5F1 55 Bytes [76, 40, FF, 15, FC, 13, 3D, ...]
.text comctl32.dll!CreateToolbarEx + BE 773EE629 20 Bytes [76, 40, 8B, 1D, FC, 13, 3D, ...]
.text comctl32.dll!CreateToolbarEx + D4 773EE63F 25 Bytes [74, 40, 6A, 00, 57, 68, 8A, ...]
.text ...
.text comctl32.dll!_TrackMouseEvent + 2 773F1228 44 Bytes CALL 2E4E623D
.text comctl32.dll!_TrackMouseEvent + 2F 773F1255 49 Bytes [01, 00, 00, 74, 38, 49, 74, ...]
.text comctl32.dll!_TrackMouseEvent + 61 773F1287 71 Bytes CALL 77429F13 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!_TrackMouseEvent + A9 773F12CF 28 Bytes [8D, 81, 78, FE, FF, FF, 83, ...]
.text comctl32.dll!_TrackMouseEvent + C6 773F12EC 33 Bytes CALL 7742A768 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text ...
.text comctl32.dll!DSA_DeleteAllItems + 44 7740003D 16 Bytes [15, 70, 14, 3D, 77, 85, C0, ...]
.text comctl32.dll!DSA_DeleteAllItems + 55 7740004E 68 Bytes JMP 7740010C \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!DSA_DeleteAllItems + 9A 77400093 7 Bytes [00, 00, 56, 89, 8E, 28, 01]
.text comctl32.dll!DSA_DeleteAllItems + CA 774000C3 72 Bytes [0C, 85, DB, 74, 08, 56, E8, ...]
.text comctl32.dll!DSA_DeleteAllItems + 113 7740010C 125 Bytes [5F, 5B, 33, C0, 5E, C9, C2, ...]
.text ...
.text comctl32.dll!DrawStatusTextW + 1E 7740056D 32 Bytes [66, 8B, 96, 16, 07, 00, 00, ...]
.text comctl32.dll!DrawStatusTextW + 3F 7740058E 109 Bytes [86, F4, 06, 00, 00, 66, 89, ...]
.text comctl32.dll!DrawStatusTextW + AD 774005FC 77 Bytes [55, 8B, EC, 83, EC, 18, 56, ...]
.text comctl32.dll!DrawStatusTextW + FB 7740064A 12 Bytes [86, 94, 06, 00, 00, 50, E8, ...]
.text comctl32.dll!DrawStatusTextW + 108 77400657 14 Bytes [08, 66, 8B, 86, 06, 07, 00, ...]
.text ...
.text comctl32.dll!ImageList_SetOverlayImage + 2D 7740142D 58 Bytes [C6, EB, 03, 83, C8, FF, 5B, ...]
.text comctl32.dll!ImageList_SetOverlayImage + 95 77401495 14 Bytes [A9, FF, FF, C1, E0, 0E, 66, ...]
.text comctl32.dll!ImageList_SetOverlayImage + A4 774014A4 40 Bytes [66, 25, 00, 40, 66, 31, 86, ...]
.text comctl32.dll!ImageList_SetOverlayImage + CE 774014CE 12 Bytes [FF, B6, A8, 08, 00, 00, 66, ...]
.text comctl32.dll!ImageList_SetOverlayImage + DB 774014DB 87 Bytes [8B, 1D, 80, 12, 3D, 77, FF, ...]
.text ...
.text comctl32.dll!ImageList_GetIcon + 21 774022BB 7 Bytes CALL E1287910
.text comctl32.dll!ImageList_GetIcon + 29 774022C3 33 Bytes [68, 16, FD, FF, FF, 56, E8, ...]
.text comctl32.dll!GetEffectiveClientRect + 4 774022E5 25 Bytes [45, 0C, 53, 8B, 5D, 08, 56, ...]
.text comctl32.dll!GetEffectiveClientRect + 1E 774022FF 31 Bytes CALL 11C43214
.text comctl32.dll!GetEffectiveClientRect + 3E 7740231F 54 Bytes [39, B3, 9C, 08, 00, 00, 74, ...]
.text comctl32.dll!GetEffectiveClientRect + 75 77402356 7 Bytes [00, 66, 8B, 93, 9A, 06, 00]
.text comctl32.dll!GetEffectiveClientRect + 7D 7740235E 49 Bytes [66, 89, 4D, EE, 0F, B7, C9, ...]
.text ...
.text comctl32.dll!DPA_Search + 11 77402862 2 Bytes [14, FF] {ADC AL, 0xff}
.text comctl32.dll!DPA_Search + 15 77402866 11 Bytes CALL 774022DB \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!DPA_Search + 21 77402872 2 Bytes [75, 14] {JNZ 0x16}
.text comctl32.dll!DPA_Search + 25 77402876 15 Bytes [10, 53, FF, 75, 08, E8, 23, ...] {ADC [EBX-0x1], DL; JNZ 0xd; CALL 0xffffffffffffaa2d; JMP 0x905}
.text comctl32.dll!DPA_Search + 35 77402886 9 Bytes [75, 14, FF, 75, 10, 53, E8, ...]
.text ...
.text comctl32.dll!DllInstall + 1 77403116 42 Bytes [83, 24, 07, 00, 00, EB, 5B, ...]
.text comctl32.dll!DllInstall + 2C 77403141 181 Bytes [DF, EB, 37, 80, 8B, B9, 08, ...]
.text comctl32.dll!DllInstall + E2 774031F7 72 Bytes [40, 00, 00, C7, 45, D4, E3, ...]
.text comctl32.dll!DllInstall + 12C 77403241 2 Bytes [F8, 11]
.text comctl32.dll!DllInstall + 130 77403245 15 Bytes [EB, 09, FF, 15, A4, 12, 3D, ...] {JMP 0xb; CALL [0x773d12a4]; MOV [EBP+0xc], EAX; CMP [EBP-0x8], SI}
.text ...
.text comctl32.dll!DestroyPropertySheetPage + 3F 774036D3 13 Bytes [15, 40, 11, 3D, 77, FF, B5, ...] {ADC EAX, 0x773d1140; PUSH DWORD [EBP-0x210]; MOV ESI, EAX}
.text comctl32.dll!DestroyPropertySheetPage + 4D 774036E1 37 Bytes [33, FF, 15, 58, 17, 3D, 77, ...]
.text comctl32.dll!DestroyPropertySheetPage + 73 77403707 106 Bytes [15, 54, 17, 3D, 77, 8B, 85, ...]
.text comctl32.dll!DestroyPropertySheetPage + DF 77403773 37 Bytes [6A, 16, 50, 8B, 85, E4, FD, ...]
.text comctl32.dll!DestroyPropertySheetPage + 105 77403799 75 Bytes [6A, FF, 68, 65, 04, 00, 00, ...]
.text ...
.text comctl32.dll!CreatePropertySheetPageW + 7 77403976 144 Bytes CALL 77403873 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!CreatePropertySheetPage + 7E 77403A07 21 Bytes [46, 18, 50, FF, 15, 14, 12, ...]
.text comctl32.dll!CreatePropertySheetPage + 94 77403A1D 48 Bytes [15, 28, 14, 3D, 77, E9, 47, ...]
.text comctl32.dll!CreatePropertySheetPage + C5 77403A4E 54 Bytes [15, 40, 15, 3D, 77, 89, 46, ...]
.text comctl32.dll!CreatePropertySheetPage + FC 77403A85 79 Bytes CALL 77403509 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!CreatePropertySheetPage + 14C 77403AD5 30 Bytes [15, 9C, 12, 3D, 77, 33, C9, ...]
.text ...
.text comctl32.dll!PropertySheetW + 8 77408C69 6 Bytes [FF, 50, FF, B5, EC, FD] {CALL [EAX-0x1]; MOV CH, 0xec; STD }
.text comctl32.dll!PropertySheetW + F 77408C70 46 Bytes [FF, FF, 15, 30, 15, 3D, 77, ...]
.text comctl32.dll!PropertySheet + 26 77408C9F 70 Bytes [80, 4E, 24, 80, 6A, 00, 53, ...]
.text comctl32.dll!CreateStatusWindowW + 16 77408CE7 24 Bytes [50, 56, C7, 85, C4, FD, FF, ...]
.text comctl32.dll!CreateStatusWindowW + 2F 77408D00 23 Bytes [50, 68, 3B, FE, FF, FF, 56, ...]
.text comctl32.dll!CreateStatusWindow + A 77408D18 8 Bytes CALL 77408D1D \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!CreateStatusWindow + 13 77408D21 47 Bytes [15, 58, 14, 3D, 77, 8B, 85, ...]
.text comctl32.dll!CreateStatusWindow + 43 77408D51 25 Bytes [16, 3D, 7B, FC, FF, FF, 74, ...]
.text comctl32.dll!CreateStatusWindow + 5E 77408D6C 202 Bytes CALL 7740855E \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!CreateStatusWindow + 129 77408E37 118 Bytes [85, F6, 74, 30, 83, FE, FF, ...]
.text comctl32.dll!DrawStatusText + 5A 77408EAE 8 Bytes CALL B0408EB3
.text comctl32.dll!DrawStatusText + 63 77408EB7 2 Bytes [85, 82]
.text comctl32.dll!DrawStatusText + 6A 77408EBE 70 Bytes CALL BF8B02EB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text comctl32.dll!DrawStatusText + B1 77408F05 13 Bytes [38, EB, 0A, 80, 66, 24, 7F, ...] {CMP BL, CH; OR AL, [EAX-0x1480db9a]; ADD AL, 0x80; DEC ESI; AND AL, 0x80}
.text comctl32.dll!DrawStatusText + BF 77408F13 54 Bytes [75, 10, FF, 15, EC, 13, 3D, ...]
.text ...

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 15th June 2010, 5:32 pm

part 2

.text comctl32.dll!CreateToolbar + E 77409071 61 Bytes [FF, 83, 66, 3C, 00, 6A, 00, ...]
.text comctl32.dll!CreateToolbar + 4D 774090B0 29 Bytes [FF, 33, FF, 15, 58, 14, 3D, ...]
.text comctl32.dll!CreateToolbar + 6B 774090CE 87 Bytes [55, 8B, EC, 6A, 00, FF, 75, ...]
.text comctl32.dll!CreateToolbar + C3 77409126 58 Bytes [B0, EC, 00, 00, 00, FF, 15, ...]
.text comctl32.dll!CreateToolbar + FE 77409161 29 Bytes [08, 89, 45, FC, 8B, 45, 10, ...]
.text ...
.text comctl32.dll!CreateUpDownControl + E0 7740C222 70 Bytes [36, 6A, 00, FF, 15, AC, 13, ...]
.text comctl32.dll!CreateUpDownControl + 127 7740C269 95 Bytes [18, 33, C0, 3B, 73, 3C, 57, ...]
.text comctl32.dll!CreateUpDownControl + 187 7740C2C9 27 Bytes [8D, 7D, C8, 89, 45, BC, 8B, ...]
.text comctl32.dll!CreateUpDownControl + 1A3 7740C2E5 55 Bytes [F3, FF, FF, 83, 7B, 30, 04, ...]
.text comctl32.dll!CreateUpDownControl + 1DB 7740C31D 23 Bytes [85, C0, 74, 19, 84, C9, 78, ...]
.text ...
.text comctl32.dll!LBItemFromPt + 13 7740DA25 93 Bytes [55, 8B, EC, 83, EC, 38, 56, ...]
.text comctl32.dll!LBItemFromPt + 71 7740DA83 59 Bytes [F6, 46, 09, 01, 74, 08, 89, ...]
.text comctl32.dll!LBItemFromPt + AD 7740DABF 28 Bytes [7D, E4, 8B, 40, 04, 8B, 3C, ...]
.text comctl32.dll!LBItemFromPt + CA 7740DADC 93 Bytes [2C, FF, 75, 0C, 56, E8, 0B, ...]
.text comctl32.dll!DrawInsert + 1B 7740DB3A 56 Bytes [85, C0, 74, 3B, 8B, 4D, DC, ...]
.text comctl32.dll!DrawInsert + 54 7740DB73 118 Bytes [2B, 45, CC, 89, 45, DC, 8B, ...]
.text comctl32.dll!DrawInsert + CB 7740DBEA 47 Bytes [08, 8B, 45, F8, 89, 47, 28, ...]
.text comctl32.dll!DrawInsert + FB 7740DC1A 18 Bytes [E0, 99, 2B, C2, D1, F8, EB, ...]
.text comctl32.dll!DrawInsert + 10E 7740DC2D 101 Bytes [39, 47, 20, 7D, 03, 89, 47, ...]
.text ...
.text comctl32.dll!MakeDragList + 32 7740DF8B 13 Bytes [FF, 75, 08, 83, C8, FF, E9, ...] {PUSH DWORD [EBP+0x8]; OR EAX, -0x1; JMP 0x140; PUSH EBX; PUSH EDI}
.text comctl32.dll!MakeDragList + 40 7740DF99 18 Bytes [75, 0C, FF, 76, 28, E8, B7, ...] {JNZ 0xe; PUSH DWORD [ESI+0x28]; CALL 0xfffffffffffd2fc1; MOV EBX, EAX; CMP EBX, -0x1; JNZ 0x1f; PUSH EDI}
.text comctl32.dll!MakeDragList + 53 7740DFAC 49 Bytes CALL 7740BEDD \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!MakeDragList + 85 7740DFDE 51 Bytes [00, 3B, C7, C7, 46, 44, FF, ...]
.text comctl32.dll!MakeDragList + B9 7740E012 4 Bytes [57, 68, 32, 04]
.text ...
.text comctl32.dll!FlatSB_GetScrollPos + 30 7741051A 18 Bytes [73, 0C, FF, 15, 98, 10, 3D, ...]
.text comctl32.dll!FlatSB_GetScrollPos + 44 7741052E 68 Bytes [FF, 15, 84, 10, 3D, 77, 85, ...]
.text comctl32.dll!FlatSB_GetScrollProp + 2D 77410573 90 Bytes [15, 40, 14, 3D, 77, 8B, 55, ...]
.text comctl32.dll!FlatSB_GetScrollProp + 88 774105CE 46 Bytes [75, F8, 7E, 12, 8B, C1, 2B, ...]
.text comctl32.dll!FlatSB_GetScrollProp + B7 774105FD 9 Bytes [55, 0C, 83, 65, B4, 00, 83, ...]
.text comctl32.dll!FlatSB_GetScrollProp + C1 77410607 166 Bytes [89, 55, 88, 8B, 55, 08, 89, ...]
.text comctl32.dll!FlatSB_GetScrollRange + 4 774106AE 160 Bytes [45, E0, 5B, 5F, 5E, C9, C2, ...]
.text comctl32.dll!FlatSB_GetScrollInfo + 23 7741074F 48 Bytes [00, 00, FF, 35, 00, 25, 46, ...]
.text comctl32.dll!FlatSB_GetScrollInfo + 54 77410780 21 Bytes [35, 30, 2A, 46, 77, 8D, 45, ...]
.text comctl32.dll!FlatSB_GetScrollInfo + 6A 77410796 60 Bytes [45, F8, 2B, 45, F0, 57, 83, ...]
.text comctl32.dll!FlatSB_GetScrollInfo + A7 774107D3 37 Bytes [FF, 55, 8B, EC, 53, 56, 8B, ...]
.text comctl32.dll!FlatSB_ShowScrollBar + 1 774107F9 149 Bytes [F9, A5, A5, A5, A5, 8B, FB, ...]
.text comctl32.dll!FlatSB_ShowScrollBar + 98 77410890 50 Bytes [8B, 4D, 0C, 33, FF, 83, C8, ...]
.text comctl32.dll!FlatSB_ShowScrollBar + CB 774108C3 68 Bytes CALL C4C10D44
.text comctl32.dll!FlatSB_EnableScrollBar + 1D 77410908 54 Bytes [33, 3B, F7, 75, 09, C7, 45, ...]
.text comctl32.dll!FlatSB_EnableScrollBar + 54 7741093F 124 Bytes [45, F8, 8B, 45, F8, 83, C3, ...]
.text comctl32.dll!FlatSB_SetScrollPos + 2D 774109BC 46 Bytes [7D, 1E, FF, 4D, F8, 83, 7D, ...]
.text comctl32.dll!FlatSB_SetScrollPos + 5C 774109EB 43 Bytes [5B, 8B, 45, F8, 3B, 45, EC, ...]
.text comctl32.dll!FlatSB_SetScrollRange + 13 77410A17 28 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
.text comctl32.dll!FlatSB_SetScrollRange + 30 77410A34 77 Bytes [76, 04, FF, 36, FF, 75, 08, ...]
.text comctl32.dll!FlatSB_SetScrollRange + 7E 77410A82 66 Bytes [81, 7D, 10, 00, 80, 00, 00, ...]
.text comctl32.dll!FlatSB_SetScrollRange + C1 77410AC5 86 Bytes [8B, 40, 2C, 24, 0F, 3C, 01, ...]
.text comctl32.dll!FlatSB_SetScrollInfo + 3D 77410B1D 5 Bytes [0B, FF, 75, 10, FF]
.text comctl32.dll!FlatSB_SetScrollInfo + 43 77410B23 68 Bytes [18, 14, 3D, 77, EB, 47, 53, ...]
.text comctl32.dll!FlatSB_SetScrollInfo + 88 77410B68 180 Bytes [15, 44, 14, 3D, 77, 5F, 5E, ...]
.text comctl32.dll!FlatSB_SetScrollProp + 6E 77410C1D 75 Bytes [83, 7D, FC, 00, 8B, 1D, 28, ...]
.text comctl32.dll!FlatSB_SetScrollProp + BA 77410C69 75 Bytes [FF, 70, 14, FF, D3, 89, 7E, ...]
.text comctl32.dll!FlatSB_SetScrollProp + 106 77410CB5 6 Bytes [8B, 07, 85, C0, 89, 45]
.text comctl32.dll!FlatSB_SetScrollProp + 10D 77410CBC 28 Bytes [0F, 84, 5E, 02, 00, 00, 57, ...]
.text comctl32.dll!FlatSB_SetScrollProp + 12A 77410CD9 25 Bytes [F6, 45, 08, 01, 8B, 06, 89, ...]
.text ...
.text comctl32.dll!UninitializeFlatSB + 2D 77410D90 28 Bytes [F6, 45, 08, 04, 74, 18, 8B, ...]
.text comctl32.dll!UninitializeFlatSB + 4B 77410DAE 13 Bytes [F6, 45, 08, 08, 74, 06, 8B, ...]
.text comctl32.dll!UninitializeFlatSB + 59 77410DBC 87 Bytes [08, 02, 74, 22, FF, 77, 08, ...]
.text comctl32.dll!UninitializeFlatSB + B2 77410E15 53 Bytes [00, F6, 45, 08, 80, 74, 29, ...]
.text comctl32.dll!UninitializeFlatSB + E8 77410E4B 139 Bytes [00, 00, 89, 45, 08, 74, 61, ...]
.text comctl32.dll!InitializeFlatSB + 49 77410ED7 142 Bytes [83, 7D, FC, 00, 74, 43, 8B, ...]
.text comctl32.dll!InitializeFlatSB + D8 77410F66 4 Bytes CALL 7741015D \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!InitializeFlatSB + DD 77410F6B 7 Bytes [FF, 75, 10, 8D, BD, F8, FC]
.text comctl32.dll!InitializeFlatSB + E5 77410F73 32 Bytes [FF, A5, A5, 83, A5, AC, FD, ...]
.text comctl32.dll!InitializeFlatSB + 106 77410F94 5 Bytes [FF, C7, 85, 94, FD]
.text ...
.text comctl32.dll!MenuHelp + 2 77410FF2 108 Bytes [FF, 02, 00, 00, 00, 83, BD, ...]
.text comctl32.dll!MenuHelp + 6F 7741105F 34 Bytes [00, 00, 0F, 95, C0, 8D, BD, ...]
.text comctl32.dll!MenuHelp + 94 77411084 20 Bytes [8B, 85, A8, FD, FF, FF, 8B, ...]
.text comctl32.dll!MenuHelp + A9 77411099 1 Byte [18]
.text comctl32.dll!MenuHelp + AD 7741109D 9 Bytes [50, FF, B5, 1C, FD, FF, FF, ...] {PUSH EAX; PUSH DWORD [EBP-0x2e4]; PUSH 0x2b}
.text ...
.text comctl32.dll!ShowHideMenuCtl + 2 774111E4 61 Bytes [A5, A5, 8B, 85, A8, FD, FF, ...]
.text comctl32.dll!ShowHideMenuCtl + 40 77411222 8 Bytes [00, 00, 53, C7, 85, 2C, FD, ...]
.text comctl32.dll!ShowHideMenuCtl + 49 7741122B 9 Bytes CALL 774101D9 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!ShowHideMenuCtl + 53 77411235 66 Bytes [85, A8, FD, FF, FF, 8B, 8B, ...]
.text comctl32.dll!ShowHideMenuCtl + 96 77411278 7 Bytes [FF, A5, A5, A5, A5, 8B, 48] {JMP [EBP-0x745a5a5b]; DEC EAX}
.text ...
.text comctl32.dll!GetMUILanguage + 16 774113BC 10 Bytes [8B, 43, 78, 8D, 34, 42, 8B, ...]
.text comctl32.dll!GetMUILanguage + 21 774113C7 31 Bytes [FF, 03, C6, 89, 47, 24, 8B, ...]
.text comctl32.dll!GetMUILanguage + 41 774113E7 40 Bytes [89, 57, 24, 8B, 47, 08, F6, ...]
.text comctl32.dll!GetMUILanguage + 6A 77411410 14 Bytes [85, 8C, FD, FF, FF, 2B, 47, ...]
.text comctl32.dll!GetMUILanguage + 79 7741141F 71 Bytes [FF, 89, 47, 1C, 8B, 47, 1C, ...]
.text ...
.text comctl32.dll!ImageList_SetDragCursorImage + 8 77412B8A 1 Byte [B8]
.text comctl32.dll!ImageList_SetDragCursorImage + 1A 77412B9C 89 Bytes [C3, 75, 0A, 80, 4D, B5, 40, ...]
.text comctl32.dll!ImageList_GetDragImage + 20 77412BF6 15 Bytes [2A, 8B, 76, 28, 85, F6, 74, ...] {SUB CL, [EBX-0x97ad78a]; JZ 0x2b; MOV EAX, [ESI]; MOV [EBP-0x1c], EAX; JMP 0x2b}
.text comctl32.dll!ImageList_GetDragImage + 30 77412C06 21 Bytes [76, 28, 85, F6, 74, 15, 85, ...]
.text comctl32.dll!ImageList_EndDrag + 1 77412C1C 13 Bytes [46, 04, 89, 45, E0, 8D, 45, ...]
.text comctl32.dll!ImageList_BeginDrag + 2 77412C5B 24 Bytes [37, FF, 15, 54, 17, 3D, 77, ...]
.text comctl32.dll!ImageList_BeginDrag + 1B 77412C74 14 Bytes [37, FF, 15, 08, 14, 3D, 77, ...] {AAA ; CALL [0x773d1408]; MOV EAX, [EBP+0xc]; INC EAX; PUSH EAX; PUSH -0x4}
.text comctl32.dll!ImageList_BeginDrag + 2A 77412C83 34 Bytes [37, 53, FF, 15, 18, 15, 3D, ...]
.text comctl32.dll!ImageList_DragEnter + 5 77412CA6 19 Bytes [4C, 56, 8B, 75, 08, 85, F6, ...]
.text comctl32.dll!ImageList_DragEnter + 19 77412CBA 47 Bytes [8D, 45, B4, 50, 57, FF, 76, ...]
.text comctl32.dll!ImageList_DragMove + 1B 77412CEA 33 Bytes [FF, 83, 66, 7C, 00, 8D, 45, ...]
.text comctl32.dll!ImageList_DragLeave + 12 77412D0C 40 Bytes [FF, 35, 30, 2A, 46, 77, 8D, ...]
.text comctl32.dll!ImageList_DragShowNolock + 13 77412D35 4 Bytes CALL 7740FCAF \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!ImageList_DragShowNolock + 4D 77412D6F 78 Bytes [4D, 08, 8D, 45, 08, 50, 53, ...]
.text comctl32.dll!ImageList_Duplicate + E 77412DBE 4 Bytes [FF, 15, B8, 13]
.text comctl32.dll!ImageList_Duplicate + 14 77412DC4 27 Bytes [6A, 00, 50, FF, 15, 2C, 14, ...]
.text comctl32.dll!ImageList_Duplicate + 30 77412DE0 61 Bytes [7D, 10, 74, 33, 48, 48, 75, ...]
.text comctl32.dll!ImageList_Write + 29 77412E1E 33 Bytes [1B, 75, 04, 6A, 01, EB, 1A, ...]
.text comctl32.dll!ImageList_GetImageRect + 6 77412E40 65 Bytes CALL 7741272F \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!ImageList_SetImageCount + 27 77412EA7 39 Bytes CALL 7741040C \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text comctl32.dll!ImageList_Add + A 77412ECF 37 Bytes [FF, 8B, 47, 2C, 89, 86, 94, ...]
.text comctl32.dll!ImageList_Add + 30 77412EF5 17 Bytes [77, 38, 8D, 85, F4, FD, FF, ...]
.text comctl32.dll!ImageList_Replace + 29 77412F35 35 Bytes [8B, 47, 30, 89, 85, E8, FD, ...]
.text comctl32.dll!ImageList_Copy + 2 77412F59 39 Bytes [2B, CA, 2B, 8D, D8, FD, FF, ...]
.text comctl32.dll!ImageList_Copy + 2A 77412F81 9 Bytes [F6, 47, 2D, 80, 8B, BD, E8, ...]
.text comctl32.dll!ImageList_Copy + 34 77412F8B 14 Bytes [74, 05, BF, 80, 20, 3D, 77, ...]
.text comctl32.dll!ImageList_Copy + 43 77412F9A 16 Bytes [77, 53, FF, 36, 52, FF, B5, ...]
.text comctl32.dll!ImageList_SetIconSize + 2 77412FAB 4 Bytes [03, CA, 51, 8B]
.text comctl32.dll!ImageList_SetIconSize + 7 77412FB0 14 Bytes [D8, FD, FF, FF, 8D, 0C, 41, ...]
.text comctl32.dll!ImageList_SetIconSize + 16 77412FBF 74 Bytes [FF, 57, 68, 5C, 25, 3D, 77, ...]
.text comctl32.dll!ImageList_GetImageInfo + 19 7741300A 57 Bytes [50, 8D, 85, D8, FD, FF, FF, ...]
.text comctl32.dll!ImageList_Merge + B 77413044 18 Bytes [FF, 15, 28, 14, 3D, 77, 8B, ...]
.text comctl32.dll!ImageList_Merge + 1E 77413057 47 Bytes [89, 86, 90, 00, 00, 00, 68, ...]
.text comctl32.dll!ImageList_Merge + 4E 77413087 41 Bytes [D7, FF, B6, 8C, 00, 00, 00, ...]
.text comctl32.dll!ImageList_SetFlags + 9 774130B1 63 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text comctl32.dll!ImageList_SetFilter + 5 774130F2 14 Bytes [74, 0E, 6A, 00, 68, BB, FE, ...]
.text comctl32.dll!ImageList_SetFilter + 14 77413101 109 Bytes [FF, 8B, 45, 08, A8, 0E, 74, ...]
.text comctl32.dll!ImageList_GetFlags + 2E 7741316F 13 Bytes [D4, 50, 68, BA, FE, FF, FF, ...]
.text comctl32.dll!ImageList_GetFlags + 3C 7741317D 6 Bytes [00, 00, E8, D2, CC, FF]
.text comctl32.dll!ImageList_GetFlags + 43 77413184 12 Bytes [85, C0, 56, 75, 14, 21, 46, ...]
.text comctl32.dll!ImageList_GetFlags + 50 77413191 19 Bytes [6A, 01, FF, 36, FF, 15, 38, ...] {PUSH 0x1; PUSH DWORD [ESI]; CALL [0x773d1538]; JMP 0x70; CALL 0xffffffffffffcca3; TEST EAX, EAX}
.text comctl32.dll!ImageList_GetFlags + 64 774131A5 41 Bytes CALL 7741013A \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
.text ...
.text comctl32.dll!ImageList_AddIcon + 62 77413C12 91 Bytes [02, 00, 33, FF, 57, 68, 48, ...]
.text comctl32.dll!ImageList_AddIcon + BE 77413C6E 5 Bytes [CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text comctl32.dll!ImageList_AddIcon + C4 77413C74 56 Bytes [FF, 55, 8B, EC, 83, EC, 14, ...]
.text comctl32.dll!ImageList_AddIcon + FD 77413CAD 45 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...]
.text comctl32.dll!ImageList_AddIcon + 12B 77413CDB 42 Bytes [55, 8B, EC, 53, 8B, 5D, 0C, ...]
.text ...
.text comctl32.dll!ImageList_Read + 35 774140A2 13 Bytes [EE, 33, C0, 5F, 5E, 5D, C2, ...]
.text comctl32.dll!ImageList_Read + 43 774140B0 13 Bytes [74, 02, 89, 30, 8B, C1, EB, ...] {JZ 0x4; MOV [EAX], ESI; MOV EAX, ECX; JMP 0xfffffffffffffff5; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text comctl32.dll!ImageList_Read + 51 774140BE 25 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text comctl32.dll!ImageList_Read + 6B 774140D8 27 Bytes [8B, 40, 04, 8B, 30, 8B, 76, ...]
.text comctl32.dll!ImageList_Read + 87 774140F4 83 Bytes [00, 33, C0, EB, F7, CC, CC, ...]
.text ...
.text comctl32.dll!ImageList_LoadImageW + 7B 774148AF 82 Bytes [2B, 0D, 14, 2A, 46, 77, 8B, ...]
.text comctl32.dll!ImageList_LoadImageW + CE 77414902 50 Bytes [66, 85, C0, 74, 1D, F6, 46, ...]
.text comctl32.dll!ImageList_LoadImageW + 101 77414935 51 Bytes [00, 00, 75, 08, 3B, 86, CC, ...]
.text comctl32.dll!ImageList_LoadImageW + 135 77414969 92 Bytes [14, 85, CC, 26, 3D, 77, 83, ...]
.text comctl32.dll!ImageList_LoadImageW + 192 774149C6 37 Bytes [C9, C3, CC, CC, CC, CC, CC, ...]
.text ...
.text comctl32.dll!ImageList_LoadImage + 24 77414AB5 208 Bytes [55, 8B, EC, 8B, 45, 0C, 85, ...]
.text comctl32.dll!ImageList_LoadImage + F5 77414B86 78 Bytes [75, 0E, F6, 40, 30, 80, 74, ...]
.text comctl32.dll!ImageList_LoadImage + 144 77414BD5 3 Bytes [F6, 46, 04]
.text comctl32.dll!ImageList_LoadImage + 148 77414BD9 36 Bytes [74, 11, 8B, 46, 24, 8B, C8, ...]
.text comctl32.dll!ImageList_LoadImage + 16D 77414BFE 24 Bytes [FF, 85, C0, 74, 3A, 89, 5F, ...]
.text ...
.text comctl32.dll!DllGetVersion + 8 7743ABB3 16 Bytes [5B, 5E, C9, C2, 0C, 00, CC, ...] {POP EBX; POP ESI; LEAVE ; RET 0xc; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text comctl32.dll!DllGetVersion + 19 7743ABC4 44 Bytes [EC, 2C, 8B, 45, 10, 85, C0, ...]
.text comctl32.dll!DllGetVersion + 47 7743ABF2 18 Bytes [89, 55, EC, F6, C1, 01, 56, ...]
.text comctl32.dll!DllGetVersion + 5A 7743AC05 1 Byte [40]
.text comctl32.dll!DllGetVersion + 5D 7743AC08 187 Bytes CALL EB466E03
.text ...
.text psapi.dll!GetWsChanges + FFFFE2B6 76BF1000 274 Bytes [F6, 2D, 81, 7C, 7B, 1D, 80, ...]
.text psapi.dll!EnumDeviceDrivers + 38 76BF1113 16 Bytes [00, 00, 8B, 40, 30, 8B, 40, ...]
.text psapi.dll!EnumDeviceDrivers + 49 76BF1124 32 Bytes [00, B0, 01, 5D, C2, 0C, 00, ...]
.text psapi.dll!EnumDeviceDrivers + 6A 76BF1145 23 Bytes [3D, 40, BB, 00, 00, 0F, 84, ...]
.text psapi.dll!EnumDeviceDrivers + 82 76BF115D 49 Bytes [00, 00, 8B, 40, 30, 8B, 40, ...]
.text psapi.dll!EnumDeviceDrivers + B4 76BF118F 32 Bytes [00, F8, 11, 00, 00, 58, 12, ...]
.text ...
.text psapi.dll!GetDeviceDriverFileNameW + A 76BF124C 25 Bytes [3C, 14, 00, 00, 49, 14, 00, ...]
.text psapi.dll!GetDeviceDriverFileNameW + 24 76BF1266 358 Bytes [07, 00, 08, 00, 09, 00, 0A, ...]
.text psapi.dll!GetMappedFileNameW + 9 76BF13CD 43 Bytes [47, 65, 74, 4D, 6F, 64, 75, ...]
.text psapi.dll!GetMappedFileNameW + 35 76BF13F9 90 Bytes [72, 6F, 63, 65, 73, 73, 49, ...]
.text psapi.dll!GetMappedFileNameA + 10 76BF1454 124 Bytes [72, 6F, 63, 65, 73, 73, 46, ...]
.text psapi.dll!GetMappedFileNameA + 8D 76BF14D1 35 Bytes [8B, C8, 8B, D9, C1, E9, 02, ...]
.text psapi.dll!GetMappedFileNameA + B1 76BF14F5 74 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text psapi.dll!GetMappedFileNameA + FC 76BF1540 21 Bytes [05, 00, 00, 53, 56, 8B, B5, ...]
.text psapi.dll!GetMappedFileNameA + 112 76BF1556 1 Byte [00]
.text ...
.text psapi.dll!EnumProcessModules + 34 76BF15A3 132 Bytes JMP 000543E9
.text psapi.dll!EnumProcessModules + B9 76BF1628 31 Bytes [FF, 89, 45, F8, 8D, 45, F0, ...]
.text psapi.dll!EnumProcessModules + DA 76BF1649 48 Bytes [FF, A1, 40, 50, BF, 76, 89, ...]
.text psapi.dll!EnumProcessModules + 10B 76BF167A 82 Bytes [3D, E0, 10, BF, 76, FF, D7, ...]
.text psapi.dll!GetModuleFileNameExW + 1A 76BF16CD 107 Bytes [00, 00, 8B, 45, 0C, C1, E8, ...]
.text psapi.dll!GetModuleFileNameExA + 29 76BF1739 108 Bytes [15, 58, 10, BF, 76, 8B, C6, ...]
.text psapi.dll!GetModuleBaseNameW + 32 76BF17A7 1 Byte [08]
.text psapi.dll!GetModuleBaseNameW + 32 76BF17A7 52 Bytes [08, FF, 15, 6C, 10, BF, 76, ...]
.text psapi.dll!GetModuleBaseNameA + A 76BF17DC 1 Byte [00]
.text psapi.dll!GetModuleBaseNameA + A 76BF17DC 96 Bytes [00, 00, EB, EB, 90, 90, 90, ...]
.text psapi.dll!GetModuleInformation + 6 76BF183D 32 Bytes [00, 57, 8D, 58, 14, 6A, 04, ...]
.text psapi.dll!GetModuleInformation + 27 76BF185E 18 Bytes [6A, 50, FF, 75, 10, 83, C0, ...] {PUSH 0x50; PUSH DWORD [EBP+0x10]; ADD EAX, -0x8; PUSH EAX; PUSH DWORD [EBP+0x8]; CALL ESI; TEST EAX, EAX; JZ 0x2f}
.text psapi.dll!GetModuleInformation + 3A 76BF1871 66 Bytes [45, 10, 8B, 48, 18, 3B, 4D, ...]
.text psapi.dll!GetModuleInformation + 7D 76BF18B4 85 Bytes [C8, 8B, 5C, 24, 14, 8B, 54, ...]
.text psapi.dll!EmptyWorkingSet + 1D 76BF190A 97 Bytes [F7, 40, 04, 06, 00, 00, 00, ...]
.text psapi.dll!QueryWorkingSet + 2 76BF196C 7 Bytes [00, 00, 83, C4, 04, 8D, 6B]
.text psapi.dll!QueryWorkingSet + 62 76BF19CC 9 Bytes [00, 00, 83, C4, 08, 5D, B8, ...]
.text psapi.dll!QueryWorkingSet + 6C 76BF19D6 37 Bytes [00, 5D, 5F, 5E, 5B, 8B, E5, ...]
.text psapi.dll!QueryWorkingSet + 92 76BF19FC 90 Bytes [E5, 5D, C3, 8B, 4C, 24, 04, ...]
.text psapi.dll!QueryWorkingSet + ED 76BF1A57 38 Bytes [00, 8B, 44, 24, 24, 8B, 58, ...]
.text ...
.text psapi.dll!EnumProcesses + 93 76BF2B9D 49 Bytes [6A, 18, 5E, A1, 48, 50, BF, ...]
.text psapi.dll!EnumProcesses + C6 76BF2BD0 27 Bytes [15, 10, 50, BF, 76, 68, 00, ...]
.text psapi.dll!EnumProcesses + E2 76BF2BEC 15 Bytes [33, C0, BF, A0, 58, BF, 76, ...] {XOR EAX, EAX; MOV EDI, 0x76bf58a0; REP STOSD ; MOV EDI, 0x76bf37b4; PUSH EDI}
.text psapi.dll!EnumProcesses + F2 76BF2BFC 46 Bytes [15, 80, 10, BF, 76, 8B, 0D, ...]
.text psapi.dll!GetProcessMemoryInfo + 4 76BF2C2B 5 Bytes [68, 80, 00, 00, 00] {PUSH 0x80}
.text psapi.dll!GetProcessMemoryInfo + A 76BF2C31 131 Bytes [02, 6A, 00, 6A, 03, 68, 00, ...]
.text psapi.dll!GetProcessMemoryInfo + 8E 76BF2CB5 58 Bytes [85, A4, FB, FF, FF, 50, 8D, ...]
.text psapi.dll!GetProcessMemoryInfo + C9 76BF2CF0 163 Bytes [FF, 89, 9D, 98, FB, FF, FF, ...]
.text psapi.dll!GetWsChanges + 4A 76BF2D94 71 Bytes [50, BF, 76, 85, C0, 74, 15, ...]
.text psapi.dll!GetWsChanges + 92 76BF2DDC 38 Bytes [FF, 50, FF, D7, 83, C4, 14, ...]
.text psapi.dll!GetWsChanges + B9 76BF2E03 27 Bytes [0F, 84, 33, 08, 00, 00, 8B, ...]
.text psapi.dll!GetWsChanges + D5 76BF2E1F 48 Bytes [8D, 74, FB, FF, FF, 89, 8D, ...]
.text psapi.dll!GetWsChanges + 106 76BF2E50 77 Bytes [00, 2B, 85, 7C, FB, FF, FF, ...]
.text ...
? \ANDDC2\NETLOGON\SLEEP.EXE The system cannot find the path specified. !

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 15th June 2010, 5:34 pm

part 3
---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008B0F8B
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008B0076
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008B0FA8
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008B0065
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008B0F53
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008B0F64
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008B0F38
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008B00C7
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008B00EC
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008B004A
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008B0014
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008B009B
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008B002F
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008B0FDE
.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008B00B6
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008A0FC3
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008A005B
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008A004A
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008A0FA8
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AA, 88]
.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008A002F
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800F92
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800FA3
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FD2
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FE3
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0080001D
.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\system32\svchost.exe[348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\wuauclt.exe[560] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\wuauclt.exe[560] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\wuauclt.exe[560] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01000000
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01000084
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01000F8F
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01000073
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01000FB6
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01000058
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01000F57
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0100009F
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01000F0D
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010000B0
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010000C1
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01000FD1
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01000011
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01000F74
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01000047
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0100002C
.text C:\WINDOWS\system32\wuauclt.exe[560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01000F3C
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FA3
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FBE
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE001D
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0038
.text C:\WINDOWS\system32\wuauclt.exe[560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FE3
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F9E
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\wuauclt.exe[560] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\wuauclt.exe[560] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\wuauclt.exe[560] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\wuauclt.exe[560] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FD0FB7
.text C:\WINDOWS\system32\wuauclt.exe[560] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00FD0FA6
.text C:\WINDOWS\system32\wuauclt.exe[560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0000
.text C:\WINDOWS\Explorer.EXE[948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[948] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[948] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026D0FEF
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026D0F5C
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026D0F77
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026D0051
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026D0036
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026D0F9E
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026D0F10
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026D0062
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026D0EFF
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026D0098
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026D00A9
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 026D0025
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026D0FD4
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026D0F41
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 026D0FB9
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 026D000A
.text C:\WINDOWS\Explorer.EXE[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026D0073
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 026C001B
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 026C0040
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 026C000A
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 026C0FCA
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 026C0F83
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 026C0FEF
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 026C0F9E
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 8A]
.text C:\WINDOWS\Explorer.EXE[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 026C0FAF
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026B0FEF
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 026B007A
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026B003A
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026B000C
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026B0055
.text C:\WINDOWS\Explorer.EXE[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026B0029
.text C:\WINDOWS\Explorer.EXE[948] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 026A0FD4
.text C:\WINDOWS\Explorer.EXE[948] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 026A0FE5
.text C:\WINDOWS\Explorer.EXE[948] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 026A000A
.text C:\WINDOWS\Explorer.EXE[948] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 026A0FAD
.text C:\WINDOWS\Explorer.EXE[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0076
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC004A
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F55
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F72
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00C9
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F3A
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F15
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0065
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00B8
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00850FB9
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00850F94
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00850FD4
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00850051
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00850040
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00850025
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00840FA3
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840FB4
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0084002E
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0084000C
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00840FCF
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0084001D
.text C:\WINDOWS\system32\services.exe[1056] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 0083001B
.text C:\WINDOWS\system32\services.exe[1056] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\services.exe[1056] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00830FE3
.text C:\WINDOWS\system32\services.exe[1056] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00830FC8
.text C:\WINDOWS\system32\services.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014F0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014F0062
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014F0047
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014F0036
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014F0F79
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014F000A
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014F008E
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014F007D
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014F00D5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014F00BA
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014F0F21
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014F0025
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014F0FCA
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014F0F5C
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014F0F9E
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014F0FB9
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014F00A9
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0146002C
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01460F91
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01460011
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01460000
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01460058
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01460FE5
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0146003D
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01460FB6
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01450022
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 01450011
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01450FB5
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01450FE3
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01450000
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01450FD2
.text C:\WINDOWS\system32\lsass.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01430FEF
.text C:\WINDOWS\system32\lsass.exe[1068] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01440025
.text C:\WINDOWS\system32\lsass.exe[1068] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0144000A
.text C:\WINDOWS\system32\lsass.exe[1068] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01440036
.text C:\WINDOWS\system32\lsass.exe[1068] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01440051
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02460000
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02460073
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02460062
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02460F8A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02460F9B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0246002C
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024600B0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02460095
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02460F39
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024600D2
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02460F14
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0246003D
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02460011
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02460084
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02460FC0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02460FDB
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024600C1
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02450FB9
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02450040
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02450FCA
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0245000A
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0245002F
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02450FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02450F83
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [65, 8A]
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02450F9E
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20FA1
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FBC
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20011
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B2002C
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FD7
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00B10036
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F72
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F97
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00FA8
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F50
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00F61
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D000D8
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F35
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00F1A
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D0005B
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D0008C
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000B3
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0014
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0058
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FDE
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF0036
.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FC6
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00CD0FC8
.text C:\WINDOWS\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00CD001B
.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04BE0053
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04BE0F68
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04BE0042
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04BE0F79
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04BE0FAF
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04BE0086
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04BE0075
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04BE00BC
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04BE00AB
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04BE0F08
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04BE0F9E
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04BE000A
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04BE0064
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04BE0FCA
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04BE001B
.text C:\WINDOWS\System32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04BE0F2D
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01860FB2
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01860032
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01860FC3
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01860FD4
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01860F6B
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01860FEF
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01860F86

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 15th June 2010, 5:34 pm

i lied.........part 4

.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A6, 89]
.text C:\WINDOWS\System32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01860FA1
.text C:\WINDOWS\System32\svchost.exe[1432] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0548000A
.text C:\WINDOWS\System32\svchost.exe[1432] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0185005F
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 01850FDE
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01850029
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01850FEF
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01850044
.text C:\WINDOWS\System32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01850018
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01840FE5
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01840000
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01840FD4
.text C:\WINDOWS\System32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01840027
.text C:\WINDOWS\System32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01830FEF
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790F5F
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790054
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790F7A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790039
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790FB2
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F27
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F44
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007900B6
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0079009B
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007900C7
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790FA1
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0079006F
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790FC3
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0079008A
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780FAC
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FDB
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780011
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780058
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0078003D
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0077003D
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FB2
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770022
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770FC3
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[1476] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1476] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1476] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[1476] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0076001D
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A30F7E
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A3007D
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A30062
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30FB9
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30F35
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A30F52
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A30EEE
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A30F09
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A300A2
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A30F6D
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A30014
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A30F1A
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20014
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A20076
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A2005B
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A2004A
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800FCF
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!system 77C293C7 5 Bytes JMP 0080005A
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800038
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800049
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1752] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1752] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1752] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1752] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007F002E
.text C:\WINDOWS\system32\svchost.exe[1752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F70
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F8D
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F35
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C6007D
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60EFF
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60098
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60EDA
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C6006C
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F1A
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20F43
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20F5E
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20F79
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10F9C
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C1001D
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C1000C
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FB7
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10FD2
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1932] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00C00027
.text C:\WINDOWS\system32\svchost.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F7A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA006F
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F8B
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0FA8
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0FC3
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0096
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F4E
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA00D6
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA00BB
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0F2C
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA004A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F69
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0025
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F3D
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D9002C
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90FCA
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D9007D
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90062
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80042
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FAD
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80027
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FC8
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F68
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0005D
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F0004C
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F83
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F3C
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00084
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000BA
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F000A9
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000D5
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F4D
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[2304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F2B
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0FA5
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF002F
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0014
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF006C
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\svchost.exe[2304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0FCD
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE004E
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0033
.text C:\WINDOWS\system32\svchost.exe[2304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[2304] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[2304] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[2304] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00ED0FD9
.text C:\WINDOWS\system32\svchost.exe[2304] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00ED0FBE
.text C:\WINDOWS\system32\svchost.exe[2304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[392] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405995] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[392] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\000000b0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\000000ae bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6cbbf0c
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c6cbbf0c (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\FramePkg.exe 6600269 bytes executable

---- EOF - GMER 1.0.15 ----

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 15th June 2010, 6:49 pm

Please do a scan with [You must be registered and logged in to see this link.]

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 17th June 2010, 7:47 am

Found nothing, problem still exists.



Thursday, June 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, June 16, 2010 16:21:16
Records in database: 4286134
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Q:\
V:\
X:\
Y:\
Scan statistics
Objects scanned 164904
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 06:29:33

No threats found. Scanned area is clean.
Selected area has been scanned.

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 17th June 2010, 5:54 pm

We need to do some diagnostics.

1. Please download [You must be registered and logged in to see this link.] by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 17th June 2010, 6:24 pm

Profiles


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1004336348-1220945662-527237240-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Frank Labuski

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1004336348-2077806209-725345543-2722
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\wgomber

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1004336348-2077806209-725345543-2924
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\flabuski

SystemRoot REG_SZ C:\WINDOWS





Win32kDiag

Running from: C:\Documents and Settings\flabuski\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\flabuski\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 17th June 2010, 8:13 pm

Please download MySystem-Search from one of the following links:
  • Save the file to your Desktop.
  • Double-click on mss.exe
  • Allow it to run, and follow the prompts.
  • Once done, it will launch a log. Close this log, I do not need it right now.
  • Look for a file in the same location called systemintegrity.txt. Please open that, and copy and paste that in to your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 17th June 2010, 8:34 pm

System File Integrity

6D4FEB43EE538FC5428CC7F0565AA656 C:\WINDOWS\system32\eventlog.dll
A86BB5E61BF3E39B62AB4C7E7085A084 C:\WINDOWS\system32\scecli.dll
1B7F071C51B77C272875C3A23E1E4550 C:\WINDOWS\system32\netlogon.dll
9F3A2F5AA6875C72BF062C712CFA2674 C:\WINDOWS\system32\drivers\atapi.sys
044452051F3E02E7963599FC8F4F3E25 C:\WINDOWS\system32\drivers\disk.sys
1DF7F42665C94B825322FAE71721130D C:\WINDOWS\system32\drivers\ndis.sys
A32426D9B14A089EAA1D922E0C5801A9 C:\WINDOWS\system32\drivers\usbstor.sys
DA1F27D85E0D1525F6621372E7B685E9 C:\WINDOWS\system32\drivers\beep.sys
12896823FB95BFB3DC9B46BCAEDC9923 C:\WINDOWS\explorer.exe
8C515081584A38AA007909CD02020B3D C:\WINDOWS\system32\alg.exe
8AAD333C876590293F72B315E162BCC7 C:\WINDOWS\system32\ansi.sys
BDAAF79DD63F194434D31A74B9BB8B77 C:\WINDOWS\system32\crypt32.dll
9EF487A186DEA361AA06913A75B3FA99 C:\WINDOWS\system32\drivers\kbdhid.sys
B921FB870C9AC0D509B2CCABBBBE95F3 C:\WINDOWS\system32\kernel32.dll
ED4BF709AAD8B665075DE06A0945B030 C:\WINDOWS\system32\keyboard.drv
FBBCFEC1379C5C02D88A361993EDF1B8 C:\WINDOWS\system32\keyboard.sys
7D29780AC88BB7292CDCFF71BA67433D C:\WINDOWS\system32\mouse.drv
8FD99680A539792A30E97944FDAECF17 C:\WINDOWS\system32\drivers\acpi.sys
CCF5F451BB1A5A2A522A76E670000FF0 C:\WINDOWS\system32\drivers\pciide.sys
76C465F570E90C28942D52CCB2580A10 C:\WINDOWS\system32\drivers\scsiport.sys
9AEFA14BD6B182D61E3119FA5F436D3D C:\WINDOWS\system32\drivers\tcpip.sys
832E4DD8964AB7ACC880B2837CB1ED20 C:\WINDOWS\system32\mswsock.dll
D72B9EC3337B247A666F098F3D6B43DE C:\WINDOWS\system32\winrnr.dll
72451FD61DDBB0A1FB071B7C3CDE5594 C:\WINDOWS\system32\rsvpsp.dll
{EOF}

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 18th June 2010, 4:07 am

Please download [You must be registered and logged in to see this link.] and install it. If you already have it, no need to reinstall.

Then, download [You must be registered and logged in to see this link.] and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 18th June 2010, 2:24 pm

Part 1

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x8061A344-->BA8F887E [Lbd.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x806188B6-->BA8F8BFE [Lbd.sys]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x8A403830 [4] System
0x89FEC6D0 [156] C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks, Network Connect Service)
0x89753DA0 [268] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft, Ad-Aware Tray Application)
0x89A1FDA0 [280] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation, ViewMgr)
0x89C6BBC0 [308] C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc., Intuit Update Service)
0x8A2719E0 [420] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x89B6B880 [560] C:\WINDOWS\system32\cba\pds.exe (LANDesk Software Ltd., CBA -- Ping Discovery Service)
0x89C72A30 [732] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x89BEA680 [756] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x8A229DA0 [760] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8A14D988 [820] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x89F4E540 [844] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8A22FDA0 [888] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x8A172020 [900] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x89F2C8B8 [1052] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89C03880 [1112] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89F6DBC8 [1148] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89C55020 [1196] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89C40A18 [1320] C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation, Intel(R) PROSet/Wireless Event Log)
0x8A171408 [1352] C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation , Wireless Management Service)
0x89C476A0 [1388] C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel(R) Corporation, WLANKEEPER)
0x8A240498 [1460] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A23AA40 [1584] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89C3B608 [1664] C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft, Ad-Aware Service Application)
0x8A246C38 [1728] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x89C69DA0 [1776] C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc., McAfee Process Validation Service)
0x89F2E240 [1804] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A14AA80 [1908] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0x89DDADA0 [1944] C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe (BigFix Inc., BigFix BESClient Application)
0x8A18D020 [1984] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x89ADD990 [1996] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89AE9020 [2020] C:\Program Files\CFdesign 2010\CFdServ.exe (Blue Ridge Numerics, Inc., CFdesign 2010 Server)
0x89F28980 [2060] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89BEF978 [2096] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89C58A30 [2104] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89ADABC0 [2116] C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation, ZeroCfgSvc MFC Application)
0x89F35DA0 [2128] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation, Intel Framework MFC Application)
0x89C1D4D0 [2144] C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc., Internal Network Card Power Management Service)
0x89C306D8 [2244] C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp., sldIM)
0x8A057DA0 [2276] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 84.30)
0x8971B020 [2404] C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation, WMI)
0x89C5E488 [2412] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc., AcroTray)
0x89AF59E0 [2444] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89B1F620 [2452] C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation, Intel(R) PROSet/Wireless Registry Service)
0x89C02DA0 [2556] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc, QuickSet)
0x89C12588 [2612] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0x8A267DA0 [2652] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x89BF7948 [2656] C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe (Mentor Graphics Corporation, StandAloneSlv Module)
0x89C0EB28 [2676] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc., Common User Interface)
0x89BB1BE8 [2832] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
0x89B896D8 [2888] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x89B696E8 [2904] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89B95BE0 [2948] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation, Macrovision Software Manager)
0x897827E8 [3000] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x89BF84C0 [3004] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x89B60260 [3016] C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0x89B31768 [3036] C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver for Windows NT/2000/XP)
0x89B5E608 [3064] C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation, Viewpoint Media Player ViewpointService.exe)
0x89B60BC0 [3172] C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc., McTray Application)
0x8A091BC0 [3232] C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc., Logitech SetPoint Event Manager (UNICODE))
0x89B87BC0 [3468] C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe (Stratasys, Inc., 3D Printers Service)
0x896E5D50 [3724] C:\Documents and Settings\flabuski\My Documents\My Downloads\RootkitUnhooker\RkU3.8.388.590\MustBeRandomlyNamed\rqvokqx32g5lG.exe (UG North, RKULE, SR2 Normandy)
0x89C84DA0 [3888] C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc., Logitech KHAL Main Process)
==============================================
>Drivers
==============================================
0xBF9D6000 C:\WINDOWS\System32\nv4_disp.dll 3977216 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 84.30 )
0xB8912000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3657728 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.30 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBA62A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB4E4D000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB524F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB86DB000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB5366000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9E72B000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBA591000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB520C000 C:\WINDOWS\System32\Drivers\bthport.sys 274432 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0xB8865000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0x9CDE2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB88CC000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 204800 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB8739000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xBA779000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9E9C5000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xBA5FD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB52BF000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB5316000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB8841000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB88A8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB881E000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9CE73000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB52EA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xBA6F3000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xBA72B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA74A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB4C08000 C:\WINDOWS\System32\Drivers\usbvideo.sys 122880 bytes (Microsoft Corporation, USB Video Class Driver)
0xB8803000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 110592 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xBA5E3000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB4AEB000 C:\WINDOWS\system32\DRIVERS\bthpan.sys 102400 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0xBA713000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xBA6CA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB87D8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E910000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB87EF000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB88FE000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB53BF000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBA6B7000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBA6E1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xBA768000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB87C7000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA19C0000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB9881000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB98A1000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB98C1000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA8F8000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xB9871000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB7526000 C:\WINDOWS\system32\DRIVERS\rfcomm.sys 61440 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0xA8065000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBAA78000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xBA988000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA998000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA8E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB98B1000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9577000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA8C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA918000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB9557000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB9861000 C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys 45056 bytes (Juniper Networks, dsNcAdapter)
0xBA9C8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB9891000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA8B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB9567000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA8A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA9F8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB9537000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA8D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB74E6000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBAAA8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA938000 C:\WINDOWS\System32\Drivers\LEqdUsb.Sys 36864 bytes (Logitech, Inc., Logitech Equad USB Driver.)
0xB9547000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA9A8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9E1EB000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBAA58000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB53D2000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xB510F000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xBAB70000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB7E30000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBABE0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBAB58000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBAB28000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBABF8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBABF0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBABE8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA78B5000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBABD8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBAB60000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA7C01000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xB53DA000 C:\WINDOWS\system32\DRIVERS\BthEnum.sys 20480 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0xBAB78000 C:\WINDOWS\System32\Drivers\BTHUSB.sys 20480 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0xBAB68000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBAB30000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBAC08000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBAC10000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBAC00000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA1C03000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB745E000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xBACC0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBAD48000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB535A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBAD68000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB7462000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB7DDD000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xA7D7B000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xBA08C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBACB8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBACBC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA1B77000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB744E000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB5356000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA084000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBAD78000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBAD84000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBAE42000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBAE40000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBADAC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBADA8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBAE44000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBADEA000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBAE46000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBADFE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBAE3E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBADAA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBAFBA000 C:\WINDOWS\System32\Drivers\ATMhelpr.SYS 4096 bytes (Adobe Systems Incorporated, Windows NT Font Driver Helper)
0xBAE83000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA77E5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBAEC8000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xB4CB0000 C:\WINDOWS\System32\Drivers\LHidEqd.Sys 4096 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xBAFB9000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBAE70000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A2B8AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8A3AE628 ?_empty_? 0 bytes

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 18th June 2010, 2:25 pm

Part 2

==============================================
>Stealth
==============================================
0xBA713000 WARNING: suspicious driver modification [atapi.sys::0x8A2B8AEA]
0x05480000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 126976 bytes
0x03990000 Hidden Image-->System.XML.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 2060288 bytes
0x045A0000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 266240 bytes
0x04330000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 270336 bytes
0x030B0000 Hidden Image-->log4net.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 282624 bytes
0x04000000 Hidden Image-->System.Data.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 2961408 bytes
0x04AC0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 307200 bytes
0x03370000 Hidden Image-->System.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 3158016 bytes
0xBA8A8000 WARNING: Virus alike driver modification [isapnp.sys], 40960 bytes
0x05390000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 421888 bytes
0x03250000 Hidden Image-->System.configuration.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 438272 bytes
0x043A0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 479232 bytes
0x04D10000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 5033984 bytes
0x02E60000 Hidden Image-->msvcm80.dll [ EPROCESS 0x89B87BC0 ] PID: 3468, 507904 bytes
0x052F0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x89C6BBC0 ] PID: 308, 634880 bytes
0x03150000 Hidden Image-->ModelServerTypes.dll [ EPROCESS 0x89B87BC0 ] PID: 3468, 69632 bytes
0x03F10000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x89C6BBC0 ] PID: 308, 872448 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002AC48, Type: Inline - RelativeJump 0x80501C48-->80501BD6 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8056E2EE-->BA5B2666 [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x805C74A0-->BA5B2614 [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x805C73EA-->BA5B2628 [mfehidk.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x805A74F0-->BA5B26A6 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x805C1316-->BA5B25D8 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805C15A2-->BA5B25EC [mfehidk.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x805ADA88-->BA5B267A [mfehidk.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Inline - RelativeJump 0x805C79AA-->BA5B2652 [mfehidk.sys]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Inline - RelativeJump 0x805C3DD4-->BA5B263E [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805C8CAA-->BA5B26D5 [mfehidk.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x805A8306-->BA5B26BC [mfehidk.sys]
ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80502244-->BA5B2690 [mfehidk.sys]
[1052]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1052]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1052]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1052]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1052]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1052]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1052]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1052]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1112]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1112]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1112]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1112]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1112]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1148]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1148]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1148]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1148]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1148]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1148]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1148]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1148]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1148]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[1148]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1148]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1148]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1148]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1148]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1196]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1196]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1196]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1196]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1196]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1196]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1460]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1460]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1460]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1460]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1460]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1460]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1460]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1584]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1584]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1584]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1584]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1584]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1584]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1584]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1804]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1804]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1804]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1804]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1804]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1804]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1804]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1996]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1996]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1996]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1996]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1996]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1996]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1996]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[2904]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[2904]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[2904]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[2904]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[2904]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[2904]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[420]wuauclt.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[420]wuauclt.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[420]wuauclt.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[420]wuauclt.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[420]wuauclt.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[420]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[420]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[420]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[420]wuauclt.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[420]wuauclt.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[420]wuauclt.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[420]wuauclt.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[420]wuauclt.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[732]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[732]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[732]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[732]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[732]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[732]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[732]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[732]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[732]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[732]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[732]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[732]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[732]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[732]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[732]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[732]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[732]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[732]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[732]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[888]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[888]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[888]services.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[888]services.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[888]services.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[888]services.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[888]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[900]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[900]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[900]lsass.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[900]lsass.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[900]lsass.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[900]lsass.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[900]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 18th June 2010, 5:34 pm

Download ComboFix but do not run it yet.

Instead, just save it to your Desktop.

[You must be registered and logged in to see this link.]

Then, download my attachment below, and save it to the Desktop.

Running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the downloaded CFScript.txt in to ComboFix


  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 18th June 2010, 7:14 pm

ComboFix 10-06-17.03 - flabuski 06/18/2010 14:40:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1514 [GMT -4:00]
Running from: c:\documents and settings\flabuski\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\flabuski\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\flabuski.dat
c:\data\testflag.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\flabuski\g2mdlhlpx.exe
c:\windows\system32\uninstall.exe
c:\windows\system32\win.com

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\drivers\iaspnp.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 15:28 . 2010-06-18 15:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-18 11:45 . 2010-06-18 11:45 6656 ----a-w- c:\windows\system32\A8F0BA2C.exe
2010-06-18 11:13 . 2010-06-18 11:13 -------- d-----w- c:\program files\7-Zip
2010-06-14 15:56 . 2010-06-14 13:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-14 13:03 . 2010-06-14 13:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-14 13:03 . 2010-06-14 13:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-14 12:54 . 2010-06-14 12:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-14 12:54 . 2010-06-14 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-14 12:54 . 2010-06-14 12:55 -------- d-----w- c:\program files\Lavasoft
2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 09:08 . 2010-06-10 09:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 19:01 . 2010-06-08 19:01 -------- d-----w- c:\program files\ESET
2010-06-08 08:50 . 2010-06-09 09:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-07 01:44 . 2010-06-09 20:26 10363096 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-06 21:44 . 2010-06-06 21:44 -------- d-----w- c:\documents and settings\flabuski\Local Settings\Application Data\mhrfvcksg
2010-06-02 13:25 . 2010-06-02 13:28 103509 ----a-w- c:\windows\hpoins04.dat
2010-06-02 13:25 . 2004-06-22 12:04 17176 ------w- c:\windows\hpomdl04.dat
2010-05-24 15:06 . 2010-05-24 15:06 -------- d-----w- c:\program files\iPod
2010-05-24 15:06 . 2010-05-24 15:08 -------- d-----w- c:\program files\iTunes
2010-05-24 14:57 . 2010-05-24 14:57 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 18:56 . 2009-10-27 16:48 -------- d-----w- c:\documents and settings\flabuski\Application Data\IM
2010-06-18 18:53 . 2010-01-08 21:03 -------- d-----w- c:\program files\CFdesign 2010
2010-06-18 18:40 . 2009-10-27 16:37 86288 ----a-w- c:\documents and settings\flabuski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-18 02:28 . 2009-10-23 02:17 180379 ----a-w- c:\windows\system32\nvModes.dat
2010-06-17 12:50 . 2010-06-17 12:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidEqd_01005.Wdf
2010-06-17 12:50 . 2010-06-17 12:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LEqdUsb_01005.Wdf
2010-06-15 08:49 . 2009-10-28 17:02 -------- d-----w- c:\documents and settings\flabuski\Application Data\SolidWorks
2010-06-14 12:56 . 2010-05-03 17:18 -------- d-----w- c:\program files\Google
2010-06-07 12:57 . 2009-10-27 19:40 -------- d-----w- c:\program files\CCleaner
2010-06-07 12:33 . 2009-10-27 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 23:09 . 2010-02-17 18:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 12:24 . 2009-12-22 12:47 -------- d-----w- c:\documents and settings\flabuski\Application Data\Alibre Design
2010-05-24 15:06 . 2009-10-28 18:48 -------- d-----w- c:\program files\Common Files\Apple
2010-05-20 18:50 . 2009-10-27 19:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-19 00:37 . 2009-11-02 17:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 20:10 . 2009-10-27 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-07 08:56 . 2009-10-27 22:53 -------- d-----w- c:\documents and settings\flabuski\Application Data\Juniper Networks
2010-05-07 08:56 . 2009-10-27 22:54 -------- d-----w- c:\program files\Juniper Networks
2010-04-29 19:39 . 2009-10-27 19:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-10-27 19:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 02:22 . 2010-01-21 18:06 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-04-28 02:30 . 2010-04-28 02:30 -------- d-----w- c:\program files\Adobe Type Manager
2010-04-28 02:26 . 2010-04-28 02:25 -------- d-----w- c:\program files\PhotoDeluxe HE 3.1
2010-04-28 02:26 . 2010-04-28 02:26 -------- d-----w- c:\program files\ImageServer
2010-04-28 02:26 . 2010-04-28 02:26 -------- d-----w- c:\program files\Common Files\Kodak
2010-04-10 19:01 . 2009-11-08 23:10 398704 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2010-04-10 19:01 . 2009-10-27 22:54 345456 ----a-w- c:\windows\system32\dsNcCredProv.dll
2010-04-10 18:59 . 2010-04-10 18:59 221184 ----a-w- c:\windows\system32\dsGinaLoader.dll
2010-04-10 18:47 . 2009-03-27 02:41 26624 ----a-w- c:\windows\system32\drivers\dsNcAdpt.sys
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 14:04 . 2010-02-08 15:14 60964 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-23 12:48 . 2010-03-23 12:48 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-01 01:07 . 2010-01-18 18:48 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-23 7561216]
"nwiz"="nwiz.exe" [2006-03-23 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-23 73728]
"NvMediaCenter"="NvMCTray.dll" [2006-03-23 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-16 124224]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-07-29 7320872]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-04-03 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-27 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logoff\0\0]
"Script"=lo1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\0\0]
"Script"=bigfixclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\1\0]
"Script"=evclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\2\0]
"Script"=li1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logoff\0\0]
"Script"=lo1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\0\0]
"Script"=\\andover.polycom.com\sysvol\andover.polycom.com\scripts\LDInstall.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\1\0]
"Script"=evclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\2\0]
"Script"=li1.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LANDesk Policy Invoker"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dimension\\CatalystEX 4.0\\nt\\CatalystEX.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\CFdesign 2010\\SMPD.EXE"=
"c:\\Program Files\\Polycom\\Polycom CMA Desktop\\vvsys.exe"=
"c:\\Program Files\\SolidWorks Corp\\SolidWorks\\SLDWORKS.exe"=
"c:\\Program Files\\SolidWorks Corp\\SolidWorks (2)\\SLDWORKS.exe"=
"c:\\Program Files\\SolidWorks Corp\\SolidWorks (2)\\swScheduler\\DTSMonitor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/14/2010 9:03 AM 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [4/27/2010 10:30 PM 4064]
R2 CFdesign 2010 Server;CFdesign 2010 Server;c:\program files\CFdesign 2010\CFdServ.exe [3/31/2010 3:03 PM 429936]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/27/2009 7:04 PM 10384]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/31/2009 9:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/27/2009 10:03 AM 70728]
R2 ModelServerWinServiceP;Dimension 3D Printers Service;c:\program files\Dimension\CatalystEX 4.0\nt\ModelServer.exe [1/16/2009 3:11 PM 442368]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [9/11/2009 8:46 PM 144680]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/29/2010 12:14 PM 30152]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 12:55 PM 40720]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 12:55 PM 10384]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2010 1:18 PM 136176]
S3 051D6553;051D6553;c:\windows\system32\051D6553.exe --> c:\windows\system32\051D6553.exe [?]
S3 A8F0BA2C;A8F0BA2C;c:\windows\system32\A8F0BA2C.exe [6/18/2010 7:45 AM 6656]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSCoordinatorService.exe [1/20/2010 1:59 AM 87336]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/27/2009 10:03 AM 65448]
S4 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [10/27/2009 9:42 AM 139264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:04]

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 17:18]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-03 17:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: force.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: polycom.com\corpid02
Trusted Zone: polycom.com\corpsbltest10.milpitas
Trusted Zone: polycom.com\sololearning
Trusted Zone: polycom.com\sso
Trusted Zone: salesforce.com
Trusted Zone: force.com
Trusted Zone: polycom.com\corpid02
Trusted Zone: polycom.com\corpsbltest10.milpitas
Trusted Zone: polycom.com\sololearning
Trusted Zone: polycom.com\sso
Trusted Zone: salesforce.com
DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - [You must be registered and logged in to see this link.] files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\flabuski\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-18 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-06-18 15:08:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-18 19:08

Pre-Run: 53,618,810,880 bytes free
Post-Run: 53,943,476,224 bytes free

- - End Of File - - E2525863716210D3E6CB4FF75012E21F

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 18th June 2010, 7:29 pm

Is this computer a company or education computer?

Please re-run Rootkit Unhooker and post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 19th June 2010, 2:19 am

Yes.....work computer

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x8061A344-->BA8F887E [Lbd.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x806188B6-->BA8F8BFE [Lbd.sys]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x8A403830 [4] System
0x89EBD7B8 [116] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0x89F91988 [300] C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc., Internal Network Card Power Management Service)
0x89F27890 [332] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A01BDA0 [440] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x89FDE6E0 [480] C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe (BigFix Inc., BigFix BESClient Application)
0x89F08588 [512] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x89F0E830 [524] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89EA9828 [536] C:\Program Files\CFdesign 2010\CFdServ.exe (Blue Ridge Numerics, Inc., CFdesign 2010 Server)
0x89F52810 [576] C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (Juniper Networks, Network Connect Service)
0x8A2AF540 [852] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation, ViewMgr)
0x893CB910 [868] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
0x89427BE0 [928] C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc., McAfee Process Validation Service)
0x89F35740 [980] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8A0E92E8 [1004] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x89FE4908 [1048] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x89FCB020 [1060] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x89EEB468 [1212] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A106DA0 [1276] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89F1B780 [1316] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A120338 [1348] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A2B6020 [1412] C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc., Logitech SetPoint Event Manager (UNICODE))
0x8A0E33A8 [1420] C:\WINDOWS\system32\cba\pds.exe (LANDesk Software Ltd., CBA -- Ping Discovery Service)
0x8A14CB28 [1472] C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation, Intel(R) PROSet/Wireless Event Log)
0x89FFC678 [1508] C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation , Wireless Management Service)
0x89F07798 [1540] C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel(R) Corporation, WLANKEEPER)
0x895008B8 [1588] C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc., Intuit Update Service)
0x89570DA0 [1608] C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc., McTray Application)
0x8932E3C8 [1620] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc., AcroTray)
0x89EE8A70 [1632] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89F2EBC0 [1776] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x88F59870 [1804] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft, Ad-Aware Tray Application)
0x894559E0 [1864] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x8A06DDA0 [1956] C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft, Ad-Aware Service Application)
0x89EC2DA0 [2016] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x893ED9E0 [2172] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x89F8AC38 [2260] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 84.30)
0x89F9D8B0 [2412] C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation, Intel(R) PROSet/Wireless Registry Service)
0x8A2B6B78 [2508] C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0x89FD6A70 [2528] C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver for Windows NT/2000/XP)
0x89F86370 [2532] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x89288510 [2576] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation, Macrovision Software Manager)
0x893F26B8 [2584] C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe (Mentor Graphics Corporation, StandAloneSlv Module)
0x89335958 [2616] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc, QuickSet)
0x893CAB98 [2732] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0x8939C9E0 [2744] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89473CA0 [2792] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x8937DDA0 [2848] C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation, Viewpoint Media Player ViewpointService.exe)
0x895004F0 [2856] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc., Common User Interface)
0x89332DA0 [3140] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x8932FBC0 [3152] C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe (Stratasys, Inc., 3D Printers Service)
0x89050020 [3184] C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation, WMI)
0x88FF35E0 [3224] C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation, Intel 802.1x Server)
0x893076E8 [3456] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89310D08 [3576] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x88F14AC0 [3588] C:\Documents and Settings\flabuski\My Documents\My Downloads\RootkitUnhooker\RkU3.8.388.590\MustBeRandomlyNamed\Kibsa4nGKeX57cahsh.exe (UG North, RKULE, SR2 Normandy)
0x892F4440 [3604] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89376770 [3648] C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc., Logitech KHAL Main Process)
0x892F2628 [3692] C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation, ZeroCfgSvc MFC Application)
0x892CE690 [3728] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x892F36D0 [3776] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x8944D510 [3792] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation, Intel Framework MFC Application)
0x88FD45B0 [3808] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x8A27B020 [3876] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x893D8530 [3952] C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe (Dassault Systèmes SolidWorks Corp., sldIM)
==============================================
>Drivers
==============================================
0xBF9D6000 C:\WINDOWS\System32\nv4_disp.dll 3977216 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 84.30 )
0xB994E000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3657728 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.30 )
0xB91DF000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2211840 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBA62A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6C4F000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB6DD5000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB905C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6F08000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4CD6000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBA591000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB6D6A000 C:\WINDOWS\System32\Drivers\bthport.sys 274432 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0xB919C000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xB2BB4000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9908000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 204800 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB90E2000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xBA779000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5888000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xBA5FD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB6E45000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6EBA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB6EE2000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9178000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB98E4000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9155000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB2CDC000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB6E70000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xBA6F3000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xBA72B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA74A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB913A000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 110592 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xBA5E3000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB6C36000 C:\WINDOWS\system32\DRIVERS\bthpan.sys 102400 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0xBA713000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6C1E000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xBA6CA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9123000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB4F33000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB993A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6F61000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBA6B7000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBA6E1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xBA768000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9112000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBAA38000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA938000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA918000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBAB08000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA8F8000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xBA948000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBAA88000 C:\WINDOWS\system32\DRIVERS\rfcomm.sys 61440 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0xB5818000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA9D8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA9E8000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA8E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBAB18000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA968000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA8C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBAA78000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xBA988000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA958000 C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys 45056 bytes (Juniper Networks, dsNcAdapter)
0xBAA18000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA928000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA8B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA978000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA8A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA9B8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA9A8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA8D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBAA58000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBAAD8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBAA68000 C:\WINDOWS\System32\Drivers\LEqdUsb.Sys 36864 bytes (Logitech, Inc., Logitech Equad USB Driver.)
0xBA998000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA9F8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB2A4F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBAA48000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBAC80000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xBAC88000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xBAC48000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBAC70000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBABD8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBAC30000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBAB28000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBABF0000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBABE8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBABE0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBAC50000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBABD0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBAC38000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBACA0000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBAC78000 C:\WINDOWS\system32\DRIVERS\BthEnum.sys 20480 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0xBAC68000 C:\WINDOWS\System32\Drivers\BTHUSB.sys 20480 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0xBAC40000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBAB30000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBAC00000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBAC08000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBABF8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBAC90000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB90DE000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xBACC0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBAD9C000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB6EB2000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CD7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5C69000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA544000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xB5BFD000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xBA53C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBACB8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBACBC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB6E9E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBAD7C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB6EAE000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBAD48000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBAD84000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBAD98000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBADE8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBAE16000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBADE6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBADAC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBADA8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBADEA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBADEC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBADDE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBADE4000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBADAA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBAF1E000 C:\WINDOWS\System32\Drivers\ATMhelpr.SYS 4096 bytes (Adobe Systems Incorporated, Windows NT Font Driver Helper)
0xBAECD000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBAF56000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB94DA000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xBAF4A000 C:\WINDOWS\System32\Drivers\LHidEqd.Sys 4096 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xBAF1D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBAE70000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 19th June 2010, 2:19 am

==============================================
>Stealth
==============================================
0x05470000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x895008B8 ] PID: 1588, 126976 bytes
0x03950000 Hidden Image-->System.XML.dll [ EPROCESS 0x895008B8 ] PID: 1588, 2060288 bytes
0x04490000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x895008B8 ] PID: 1588, 266240 bytes
0x04220000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x895008B8 ] PID: 1588, 270336 bytes
0x00F80000 Hidden Image-->log4net.dll [ EPROCESS 0x895008B8 ] PID: 1588, 282624 bytes
0x03EF0000 Hidden Image-->System.Data.dll [ EPROCESS 0x895008B8 ] PID: 1588, 2961408 bytes
0x049B0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x895008B8 ] PID: 1588, 307200 bytes
0x03330000 Hidden Image-->System.dll [ EPROCESS 0x895008B8 ] PID: 1588, 3158016 bytes
0x05380000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x895008B8 ] PID: 1588, 421888 bytes
0x03270000 Hidden Image-->System.configuration.dll [ EPROCESS 0x895008B8 ] PID: 1588, 438272 bytes
0x04290000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x895008B8 ] PID: 1588, 479232 bytes
0x04D00000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x895008B8 ] PID: 1588, 5033984 bytes
0x02D40000 Hidden Image-->msvcm80.dll [ EPROCESS 0x8932FBC0 ] PID: 3152, 507904 bytes
0xB3B656E8 Unknown thread object [ ETHREAD 0x894E8810 ] , 600 bytes
0xB296F6E8 Unknown thread object [ ETHREAD 0x88FF0830 ] , 600 bytes
0xB296F6E8 Unknown thread object [ ETHREAD 0x8A2AFDA8 ] , 600 bytes
0x052E0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x895008B8 ] PID: 1588, 634880 bytes
0x03030000 Hidden Image-->ModelServerTypes.dll [ EPROCESS 0x8932FBC0 ] PID: 3152, 69632 bytes
0x03E00000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x895008B8 ] PID: 1588, 872448 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-11D43762.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-1857459C.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-2A94BB85.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-31610E45.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-3197E1AF.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-483E13BB.pf
!-->[Hidden] C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002AC48, Type: Inline - RelativeJump 0x80501C48-->80501BD6 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8056E2EE-->BA5B27BE [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x805C74A0-->BA5B2614 [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x805C73EA-->BA5B2628 [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8061A7E0-->BA5B2690 [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x8061A9B0-->BA5B26BC [mfehidk.sys]
ntkrnlpa.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8061AB90-->BA5B272A [mfehidk.sys]
ntkrnlpa.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x8061ADFA-->BA5B2714 [mfehidk.sys]
ntkrnlpa.exe-->NtLoadKey2, Type: Inline - RelativeJump 0x8061C174-->BA5B2740 [mfehidk.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x805A74F0-->BA5B27FE [mfehidk.sys]
ntkrnlpa.exe-->NtNotifyChangeKey, Type: Inline - RelativeJump 0x8061C532-->BA5B276C [mfehidk.sys]
ntkrnlpa.exe-->NtOpenKey, Type: Inline - RelativeJump 0x8061B722-->BA5B2666 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x805C1316-->BA5B25D8 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805C15A2-->BA5B25EC [mfehidk.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x805ADA88-->BA5B27D2 [mfehidk.sys]
ntkrnlpa.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8061BA64-->BA5B27A8 [mfehidk.sys]
ntkrnlpa.exe-->NtQueryMultipleValueKey, Type: Inline - RelativeJump 0x80619492-->BA5B26FE [mfehidk.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Inline - RelativeJump 0x80618568-->BA5B26E8 [mfehidk.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Inline - RelativeJump 0x80619D66-->BA5B26A6 [mfehidk.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Inline - RelativeJump 0x8061C418-->BA5B2794 [mfehidk.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Inline - RelativeJump 0x8061BD24-->BA5B2780 [mfehidk.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Inline - RelativeJump 0x805C79AA-->BA5B2652 [mfehidk.sys]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Inline - RelativeJump 0x805C3DD4-->BA5B263E [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805C8CAA-->BA5B282D [mfehidk.sys]
ntkrnlpa.exe-->NtUnloadKey, Type: Inline - RelativeJump 0x80618BE0-->BA5B2756 [mfehidk.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x805A8306-->BA5B2814 [mfehidk.sys]
ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80502244-->BA5B27E8 [mfehidk.sys]
[1048]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1048]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1048]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1048]services.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1060]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1060]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1060]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1212]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1212]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1212]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1276]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1276]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1276]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1316]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1316]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1316]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[1316]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[1316]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[1316]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[1316]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1348]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1348]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1632]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1632]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1632]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[1776]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[1776]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[1776]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2172]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[2172]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[2172]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2172]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[2172]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[2172]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[2172]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2172]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2172]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[2172]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[2172]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[2172]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[2172]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B1248-->00000000 [shimeng.dll]
[2172]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2172]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[2744]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[2744]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[2792]wuauclt.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[332]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[332]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[332]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771C5796-->00000000 [unknown_code_page]
[332]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x771C5A62-->00000000 [unknown_code_page]
[332]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x771D5BB2-->00000000 [unknown_code_page]
[332]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x771BAF49-->00000000 [unknown_code_page]
[332]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]
[524]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]
[524]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]
[524]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 19th June 2010, 2:46 am

Do you have anymore Google redirects?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 19th June 2010, 11:36 pm

It seems to be ok, but I'll let you know. ;-)

thanks for everything!

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 19th June 2010, 11:49 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by ohdeucey on 20th June 2010, 11:44 pm

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
McAfee AntiSpyware Enterprise Module
McAfee Agent
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 20
Adobe Flash Player 10.0.45.2
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
McAfee VirusScan Enterprise engineserver.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mcshield.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25989
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Google Redirect Virus?

Post by Dr Jay on 21st June 2010, 2:56 am

See [You must be registered and logged in to see this link.] for more info about malware and prevention.

That would be all.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum