ATTACKED Nybegynder

27. september 2009 - 21:30 Der er 20 kommentarer og
1 løsning

Rootkit.TDSS + DNSChanger.t

Hej.
Endnu engang omgang snavs af den lidt mere skumle slags.
Håber i vil hjælpe mig.

MalwareBytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 3

27-09-2009 19:30:11
mbam-log-2009-09-27 (19-30-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147833
Time elapsed: 57 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ejer\Lokale indstillinger\Temp\gasfkydvpetuwgod.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ejer\Lokale indstillinger\Temp\gasfkyyfhrhostwb.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

HJT>LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:05, on 27-09-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ltmoh\Ltmoh.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\Programmer\EzButton\EzButton.EXE
C:\Programmer\Apoint2K\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Windows Desktop Search\WindowsSearch.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ejer\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmer\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Hjælp til tilmelding til Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmer\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [EzButton] C:\Programmer\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Programmer\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programmer\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243982979218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 6630 bytes

Mcafee LOGGen Viste mig at den havde Fanget en Trojan ved navn DNSCHANGER.t

Synes godt om

ATTACKED Nybegynder

27. september 2009 - 22:06 #1

Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\DRIVERS\QECXFYXEPODQMBEQ.SYS DNSChanger.t (Trojan)
27-09-2009 17:39:23 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\qecxfyxepodqmbeq.sys DNSChanger.t (Trojan)

For lige at få al info med.

Hjæææææælp:-)

Synes godt om

johnstigers Seniormester

27. september 2009 - 22:22 #2

Har du overvejet lidt disciplin når du er på nettet, samt lidt bedre sikkerhed? :)

Nå men vent på en der har tjek på rootkits, så får du hjælp.

Synes godt om

ATTACKED Nybegynder

27. september 2009 - 22:29 #3

Jeg Plejer ellers at være meget påpasselig, men har tjekket noget shareware ud og hmm tja blev så ramt:-)

Det med sikkerheden må jeg nok invistere lidt mere i, har du nogle anbefalinger?

Har kigget lidt på steganos sikkerhedspakken, og den ser ret komplet ud....

Synes godt om

johnstigers Seniormester

27. september 2009 - 22:37 #4

Jeg scanner ugentligt med malwarebytes antimalware og avast free.

Der findes selvfølgelig bedre alternativer, men det er mit setup, og med teenagere der bruger samme pc, så skal der nok komme noget snavs ind, men indtil videre er jeg sluppet med det setup :)

Synes godt om

ATTACKED Nybegynder

27. september 2009 - 22:54 #5

Okay vil tjekke avast ud, bruger også malwarebytes med et par scanninger om ugen på denne maskine - samt mCafee.

På min stationære kører jeg superantivirus, malwarebytes og en gammel mcafee. på trods af det bliver den oftere ramt af diverse indslag fra vrede kodere:-)

Men jeg overvejer på det kraftigste den der steganos komplette sikkerhedsløsning, på begge maskiner, selvom det måske er lidt dyrere end andre løsninger.

Synes godt om

ATTACKED Nybegynder

28. september 2009 - 11:24 #6

Jeg har også lavet en Gmer log. Jeg håber jeg har leveret nok information, til at få lidt hjælp.
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-28 11:19:23
Windows 5.1.2600 Service Pack 3
Running: a12nc.exe; Driver: C:\DOCUME~1\Ejer\LOKALE~1\Temp\uwloypow.sys

---- System - GMER 1.0.15 ----

SSDT spcl.sys ZwCreateKey [0xF74B50E0]
SSDT spcl.sys ZwEnumerateKey [0xF74D3CA4]
SSDT spcl.sys ZwEnumerateValueKey [0xF74D4032]
SSDT spcl.sys ZwOpenKey [0xF74B50C0]
SSDT spcl.sys ZwQueryKey [0xF74D410A]
SSDT spcl.sys ZwQueryValueKey [0xF74D3F8A]
SSDT spcl.sys ZwSetValueKey [0xF74D419C]
SSDT \??\C:\Programmer\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8FEB0B0]

INT 0x62 ? 8636DBF8
INT 0x63 ? 8616CBF8
INT 0x63 ? 8616CBF8
INT 0x63 ? 8616CBF8
INT 0x73 ? 8616CBF8
INT 0x82 ? 8636DBF8
INT 0x94 ? 8616CBF8
INT 0xB4 ? 8616CBF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9C1CAC1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9C1CAEB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9C1CA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9C1CA81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9C1CB15]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9C1CAD5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9C1CA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9C1CAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9C1CB2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9C1CAFF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP A9C1CB03 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP A9C1CAC5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP A9C1CAD9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP A9C1CB2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP A9C1CB19 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP A9C1CAB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP A9C1CA85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP A9C1CA59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP A9C1CAEF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP A9C1CA6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spcl.sys Den angivne fil blev ikke fundet. !
.text USBPORT.SYS!DllUnload F655F8AC 5 Bytes JMP 8616C1D8
.text avqkvl7v.SYS F5D07386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text avqkvl7v.SYS F5D073AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text avqkvl7v.SYS F5D073C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text avqkvl7v.SYS F5D073C9 1 Byte [30]
.text avqkvl7v.SYS F5D073C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0000
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0040
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0F4B
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0F5C
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0F83
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0FA5
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0062
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0051
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0EDA
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0EF5
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE008E
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0F94
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0FE5
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F26
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0011
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE0FC0
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0073
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00ED0FCD
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00ED0FA1
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00ED0FDE
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00ED0FEF
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00ED0FB2
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00ED000A
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00ED004A
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00ED0039
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00EC0FC3
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!system 77C193C7 5 Bytes JMP 00EC004E
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00EC0022
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00EC0FEF
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00EC0033
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00EC0FDE
.text C:\Programmer\McAfee\Common Framework\naPrdMgr.exe[360] WS2_32.dll!socket 71A84211 5 Bytes JMP 00EB0000
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F92
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0087
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0076
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0065
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F77
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00C9
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F5C
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00F5
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0106
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE004A
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00AC
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00BD0047
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00BD001B
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00BD0F94
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00BC0FC1
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!system 77C193C7 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00BC0038
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00BC001D
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenA 40B3D688 5 Bytes JMP 00BA0000
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenW 40B3DB01 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlA 40B3F39C 5 Bytes JMP 00BA0025
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlW 40B86F37 5 Bytes JMP 00BA0036
.text C:\WINDOWS\Explorer.EXE[516] WS2_32.dll!socket 71A84211 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[676] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070056
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F1A
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700B3
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EFF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00060F68
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00060F79
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!system 77C193C7 5 Bytes JMP 00050FAB
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71A84211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50089
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50064
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F8A
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F9B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FAC
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F500C1
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F6F
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50F39
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500D2
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F500E3
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50033
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F5009A
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F5E
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F40F9E
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F40FAF
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00F40FC0
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F30042
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F30FB7
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F30016
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F30027
.text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71A84211 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F92
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80FA3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FB4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F8007D
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F81
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800F5
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800E4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F80106
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80025
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F800A2
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80047
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80036
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800C9
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F70F8A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F7002C
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F70F9B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F60070
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F60FDB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F6003A
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F6000C
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F60055
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F6001D
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71A84211 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F80
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F91
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70FAC
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70069
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70044
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70F4D
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F5E
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C700C1
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F28
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700D2
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70FC7
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F6F
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70033
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C700B0
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00C60051
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00C60FDB
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00C60073
.text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00C60062
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!system 77C193C7 5 Bytes JMP 00C50F9A
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00C50FC6
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00C50FAB
.text C:\WINDOWS\system32\svchost.exe[1180] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00C50FE3
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!socket 71A84211 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02290FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02290065
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02290054
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02290043
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02290F86
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0229001E
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02290F44
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02290F55
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022900C2
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02290F29
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02290F04
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02290F97
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02290FDE
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02290080
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02290FB2
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02290FCD
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022900A7
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 02280FB9
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 02280051
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0228000A
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 02280FD4
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 02280F94
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 02280FEF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 0228002C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 0228001B
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 02270FB7
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!system 77C193C7 5 Bytes JMP 02270042
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 02270027
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_open 77C1F566 5 Bytes JMP 02270FEF
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 02270FD2
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 0227000C
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71A84211 5 Bytes JMP 02260000
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenA 40B3D688 5 Bytes JMP 01E40000
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenW 40B3DB01 5 Bytes JMP 01E4001B
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 40B3F39C 5 Bytes JMP 01E40040
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 40B86F37 5 Bytes JMP 01E40051
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0087
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0076
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C005B
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F9E
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C002F
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00DA
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C00BF
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C0F55
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C0F66
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0109
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0040
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0014
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C00A2
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C0FB9
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0FDE
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C0F77
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 007B0073
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 007B0FDB
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 007A0FA1
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!system 77C193C7 5 Bytes JMP 007A002C
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 007A0FCD
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_open 77C1F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 007A0FBC
.text C:\WINDOWS\system32\svchost.exe[1268] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1268] WS2_32.dll!socket 71A84211 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F66
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1005B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F8D
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F1D
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F2E
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F02
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A1009B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100B6
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F4B
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A1008A
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00A00FC0
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00A00F72
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00A00F83
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [C1, 88]
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 009F0053
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C193C7 5 Bytes JMP 009F0FD2
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 009F0027
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C1F566 5 Bytes JMP 009F0FE3
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 009F0038
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 009F000C
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71A84211 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60060
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F61
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F7C
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60F8D
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C6008C
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F50
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600A7
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F0E
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60EF3
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60071
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F29
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00980FCA
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00980054
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0098001B
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00980F97
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00980FA8
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [B9, 88]
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00980FB9
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00970F9C
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!system 77C193C7 5 Bytes JMP 00970027
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00970FD2
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00970FB7
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00970FE3
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenA 40B3D688 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenW 40B3DB01 5 Bytes JMP 00950FDE
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenUrlA 40B3F39C 5 Bytes JMP 00950014
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenUrlW 40B86F37 5 Bytes JMP 00950FC3
.text C:\WINDOWS\system32\svchost.exe[1884] WS2_32.dll!socket 71A84211 5 Bytes JMP 00960FE5
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FEF
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0F86
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F97
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0065
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!LoadLibraryExA

Synes godt om

ATTACKED Nybegynder

28. september 2009 - 11:28 #7

.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E004A
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0014
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00C2
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E00B1
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E00F5
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00E4
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E0F41
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0039
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FDE
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E00A0
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0FB2
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0FCD
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00D3
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 010D0036
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 010D007D
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 010D0025
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 010D0014
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 010D0062
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 010D0FEF
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 010D0047
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 010D0FCA
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 010C0F9C
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!system 77C193C7 5 Bytes JMP 010C0FAD
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 010C0016
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!_open 77C1F566 5 Bytes JMP 010C0FEF
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 010C0027
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 010C0FD2
.text C:\Programmer\McAfee\Common Framework\FrameworkService.exe[2016] WS2_32.dll!socket 71A84211 5 Bytes JMP 010B0000
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0082
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F83
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0036
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F57
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F72
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F10
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F21
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EFF
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F94
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009D
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB6
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\Programmer\Messenger\msmsgs.exe[2460] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F3C
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 002E0053
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!system 77C193C7 5 Bytes JMP 002E0FC8
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 002E002E
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!_open 77C1F566 5 Bytes JMP 002E0000
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 002E0FD9
.text C:\Programmer\Messenger\msmsgs.exe[2460] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 002E001D
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 002F0FD4
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 002F0051
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 002F001B
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 002F000A
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 002F0F94
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 002F0FEF
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 002F0040
.text C:\Programmer\Messenger\msmsgs.exe[2460] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 002F0FB9
.text C:\Programmer\Messenger\msmsgs.exe[2460] WS2_32.dll!socket 71A84211 5 Bytes JMP 00300FEF
.text C:\Programmer\Messenger\msmsgs.exe[2460] WININET.dll!InternetOpenA 40B3D688 5 Bytes JMP 00310000
.text C:\Programmer\Messenger\msmsgs.exe[2460] WININET.dll!InternetOpenW 40B3DB01 5 Bytes JMP 00310FE5
.text C:\Programmer\Messenger\msmsgs.exe[2460] WININET.dll!InternetOpenUrlA 40B3F39C 5 Bytes JMP 00310FD4
.text C:\Programmer\Messenger\msmsgs.exe[2460] WININET.dll!InternetOpenUrlW 40B86F37 5 Bytes JMP 0031001B

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 863705E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74E6C4C] spcl.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74E6CA0] spcl.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74B6042] spcl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74B613E] spcl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74B60C0] spcl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74B6800] spcl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74B66D6] spcl.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8616C2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74C5E9C] spcl.sys
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!swprintf] 001CB286
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8186
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C83
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmFreeMappingAddress] 8E868801
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CAA86
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmUnmapIoSpace] 80968B00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IofCompleteRequest] 001C9C96
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IofCallDriver] 001CB986
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] BA86880C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB86
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!sprintf] 968D5140
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C90
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ObfDereferenceObject] 2266E852
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ZwClose] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00002254
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoCreateDevice] 00001C98
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 2242E850
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ZwOpenKey] 1CB4968D
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoStartTimer] 00002230
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoInitializeTimer] 001CBB8E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CBD8688
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ZwCreateKey] C6000000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CBB86
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C90
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2202E851
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoStartPacket] 538B0000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CAC868D
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoFreeMdl] E8500000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmUnlockPages] 000021F0
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CBB8E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CBD8688
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CBB96
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeSetTimer] [F6317300] \SystemRoot\system32\DRIVERS\w29n51.sys (Intel® Wireless LAN Driver/Intel® Corporation)
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!_allmul] 74070647
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!_except_handler3] 05578A0B
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CBD
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!_aulldiv] 03087408
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!strstr] 72F93B3F
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!_strupr] 8A09EBDA
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CBD
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!KeTickCount] 88084B8A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CBE8E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC086
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAllocateIrp] 81E85000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000021
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB88E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmLockPagableDataSection] BC968B00
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CC48E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!ExFreePoolWithTag] C8968900
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!InitSafeBootMode] CCC68150
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!PoCallDriver] 002157E8
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!memmove] 18C48300
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\avqkvl7v.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8636C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{3ED35822-1E95-4735-A491-F8360F29087D} 85B21500
Device \Driver\usbuhci \Device\USBPDO-0 861EE1F8
Device \Driver\usbuhci \Device\USBPDO-1 861EE1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 863DB1F8
Device \Driver\dmio \Device\DmControl\DmConfig 863DB1F8
Device \Driver\dmio \Device\DmControl\DmPnP 863DB1F8
Device \Driver\dmio \Device\DmControl\DmInfo 863DB1F8
Device \Driver\PCI_PNP6454 \Device\00000045 spcl.sys
Device \Driver\usbuhci \Device\USBPDO-2 861EE1F8
Device \Driver\usbuhci \Device\USBPDO-3 861EE1F8
Device \Driver\usbehci \Device\USBPDO-4 861551F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys

Device \Driver\sptd \Device\3886691454 spcl.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8636E1F8
Device \Driver\Cdrom \Device\CdRom0 8611F1F8
Device \Driver\Cdrom \Device\CdRom1 8611F1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85B21500
Device \Driver\NetBT \Device\NetbiosSmb 85B21500
Device \Driver\NetBT \Device\NetBT_Tcpip_{385269D5-5BDA-4490-ADFD-504186AB4AD6} 85B21500

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device \Driver\usbuhci \Device\USBFDO-0 861EE1F8
Device \Driver\usbuhci \Device\USBFDO-1 861EE1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85B33500
Device \Driver\usbuhci \Device\USBFDO-2 861EE1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85B33500
Device \Driver\usbuhci \Device\USBFDO-3 861EE1F8
Device \Driver\usbehci \Device\USBFDO-4 861551F8
Device \Driver\Ftdisk \Device\FtControl 8636E1F8
Device \Driver\avqkvl7v \Device\Scsi\avqkvl7v1Port2Path0Target0Lun0 8611B500
Device \Driver\avqkvl7v \Device\Scsi\avqkvl7v1 8611B500
Device \FileSystem\Cdfs \Cdfs 85B49500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programmer\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x57 0x69 0xA6 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2B 0xB4 0xA0 0x86 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0xC4 0x5D 0x40 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programmer\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x57 0x69 0xA6 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2B 0xB4 0xA0 0x86 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0xC4 0x5D 0x40 ...

---- EOF - GMER 1.0.15 ----

Synes godt om

jonner40 Nybegynder

28. september 2009 - 22:32 #8

Har du stadig problemer

prøv denne her
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Synes godt om

jonner40 Nybegynder

28. september 2009 - 22:43 #9

denne kan fjerne

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Synes godt om

jonner40 Nybegynder

28. september 2009 - 22:47 #10

glem link i #8

Synes godt om

sullep Nybegynder

29. september 2009 - 09:08 #11

--Hent Combofix, og gem den på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Luk alle andre vinduer ned.

Kør så Combofix.exe, og følg anvisningerne. (Vistabrugere skal klikke med højre-musetast på filen og vælge (Kør som administrator)

Vigtigt-> Deaktiver dit antivirus/antispyware program.
Hvis du ikke kan deaktiver programmet, så klikker du bare "OK" så vil combofix forsætte.
Sig "NEJ" til at installer "Genoprettelses konsol"

Du må ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\ Combofix txt

Hvis logfilen ikke åbnes så finder du den her c:\combofix.txt
Indholdet af denne fil må du gerne lægge herind.

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 10:53 #12

hej og tak begge. Prøver først combofix løsningen da jeg kan se den ofte er foreslået her.

Der kommer en log snarest

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 11:07 #13

Hej sullep, hermed 1 stk. CF-log
ComboFix 09-09-28.01 - Ejer 29-09-2009 10:58.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.1015.523 [GMT 2:00]
Kører fra: c:\documents and settings\Ejer\Skrivebord\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\19837fb.msi
c:\windows\Installer\19837fc.msp
c:\windows\Installer\19837fd.msp
c:\windows\Installer\19837fe.msp
c:\windows\Installer\19837ff.msp
c:\windows\Installer\1983800.msp
c:\windows\Installer\1983801.msp
c:\windows\Installer\1983802.msp
c:\windows\Installer\1983803.msp
c:\windows\Installer\1983804.msp
c:\windows\Installer\8d952c.msp
c:\windows\Installer\ef166.msp
c:\windows\Installer\ef17a.msp

.
((((((((((((((((((((((((((((( Filer skabt fra 2009-08-28 til 2009-09-29 )))))))))))))))))))))))))))))))))))
.

2009-09-28 11:19 . 2009-09-28 11:19 -------- d-----w- c:\programmer\Windows Defender
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\programmer\SUPERAntiSpyware
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\documents and settings\Ejer\Application Data\SUPERAntiSpyware.com
2009-09-28 07:44 . 2009-09-28 07:44 -------- d-----w- c:\programmer\Fælles filer\Wise Installation Wizard
2009-09-27 16:10 . 2009-06-21 21:48 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-27 16:04 . 2009-09-27 16:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-27 15:57 . 2009-09-27 16:02 -------- d-----w- C:\Nsi.pending
2009-09-27 15:38 . 2009-09-27 16:02 -------- d-----w- c:\documents and settings\Ejer\Application Data\Steganos VPN
2009-09-26 12:43 . 2009-09-27 16:02 -------- d-----w- c:\programmer\AskBarDis
2009-09-24 15:27 . 2009-09-27 16:02 -------- d-----w- C:\Media
2009-09-07 15:28 . 2009-09-27 16:04 -------- d-----w- c:\programmer\WSEX Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 11:19 . 2009-06-03 00:01 64952 ----a-w- c:\documents and settings\Ejer\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 10:11 . 2009-06-09 07:18 -------- d-----w- c:\programmer\Vuze
2009-09-27 19:02 . 2009-06-14 10:34 -------- d-----w- c:\programmer\Google
2009-09-27 16:30 . 2009-08-04 11:56 -------- d-----w- c:\programmer\Malwarebytes' Anti-Malware
2009-09-27 16:29 . 2009-08-05 15:50 -------- d-----w- c:\programmer\Action Poker
2009-09-27 16:20 . 2009-06-03 00:01 -------- d-----w- c:\programmer\Microsoft Silverlight
2009-09-27 16:04 . 2009-06-09 07:19 -------- d-----w- c:\documents and settings\Ejer\Application Data\Azureus
2009-09-27 16:03 . 2009-06-12 21:20 -------- d-----w- c:\programmer\Full Tilt Poker
2009-09-27 16:03 . 2009-06-02 23:13 -------- d--h--w- c:\programmer\InstallShield Installation Information
2009-09-27 16:02 . 2009-06-14 10:25 -------- d-----w- c:\programmer\PokerStars
2009-09-27 16:02 . 2009-08-13 10:30 -------- d-----w- c:\documents and settings\Ejer\Application Data\Poker4ever
2009-09-10 12:54 . 2009-08-04 11:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-08-04 11:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 21:07 . 2006-03-02 03:00 92046 ----a-w- c:\windows\system32\perfc006.dat
2009-08-27 21:07 . 2006-03-02 03:00 482312 ----a-w- c:\windows\system32\perfh006.dat
2009-08-27 11:54 . 2009-08-27 11:54 -------- d-----w- c:\documents and settings\Ejer\Application Data\Windows Search
2009-08-27 07:43 . 2009-08-27 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WebcamMax
2009-08-27 07:43 . 2009-08-27 07:41 -------- d-----w- c:\documents and settings\Ejer\Application Data\Webcammax
2009-08-27 07:41 . 2009-08-27 07:40 -------- d-----w- c:\programmer\WebcamMax
2009-08-16 20:49 . 2009-08-16 20:49 -------- d-----w- c:\documents and settings\Ejer\Application Data\Birdstep Technology
2009-08-16 20:47 . 2009-06-04 22:46 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-08-16 20:46 . 2009-08-16 20:46 -------- d-----w- c:\programmer\3
2009-08-16 20:42 . 2009-06-04 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-08-14 17:23 . 2009-08-13 20:53 -------- d-----w- c:\programmer\Mobile Partner
2009-08-05 09:00 . 2006-03-02 03:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 11:56 . 2009-08-04 11:56 -------- d-----w- c:\documents and settings\Ejer\Application Data\Malwarebytes
2009-08-04 11:56 . 2009-08-04 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 11:54 . 2009-08-04 11:54 -------- d-----w- c:\programmer\CCleaner
2009-07-17 19:03 . 2006-03-02 03:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2006-03-02 03:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:59 . 2006-03-02 03:00 915456 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\programmer\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"ShStatEXE"="c:\programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\programmer\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"LtMoh"="c:\programmer\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"EzButton"="c:\programmer\EzButton\EzButton.EXE" [2005-01-03 417792]
"Apoint"="c:\programmer\Apoint2K\Apoint.exe" [2003-06-18 151552]
"Google Quick Search Box"="c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-14 68592]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\programmer\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Windows Defender"="c:\programmer\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2007-04-16 577536]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Windows Search.lnk - c:\programmer\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmer\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Programmer\\B2BPOKER\\NoiQpoker\\jre\\bin\\javaw.exe"=

R1 SASDIFSV;SASDIFSV;c:\programmer\SUPERAntiSpyware\sasdifsv.sys [15-09-2009 11:42 9968]
R1 SASKUTIL;SASKUTIL;c:\programmer\SUPERAntiSpyware\SASKUTIL.SYS [15-09-2009 11:42 74480]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [27-08-2009 09:40 941784]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [16-08-2009 22:47 10240]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [03-11-2006 19:19 13592]
R3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\Silicon.sys [04-10-2004 12:02 22272]
R3 SASENUM;SASENUM;c:\programmer\SUPERAntiSpyware\SASENUM.SYS [15-09-2009 11:42 7408]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-03-2009 16:28 1533808]

--- Andre Services/Drivers i Hukommelsen ---

*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL
*NewlyCreated* - UWLOYPOW
*NewlyCreated* - WINDEFEND
*Deregistered* - uwloypow

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-09-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-09-26 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-09-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-08-17 c:\windows\Tasks\SmartDefrag.job
- c:\programmer\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-17 07:22]
.
.
------- Yderligere scanning -------
.
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 11:03
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\igfxdev.dll
.
Gennemført tid: 2009-09-29 11:04
ComboFix-quarantined-files.txt 2009-09-29 09:04

Pre-Kørsel: 50.522.050.560 byte ledig
Post-Kørsel: 50.578.784.256 byte ledig

186 --- E O F --- 2009-09-29 08:55

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 11:19 #14

settings\Ejer\Application Data\Steganos VPN <<<Den bruger jeg slet ikke på den her maskine mere troede jeg havde fjernet den igen..

Synes godt om

sullep Nybegynder

29. september 2009 - 12:17 #15

Drop fildeling >> http://spywarefri.dk/forum/topic.asp?TOPIC_ID=40284

Åben Notesblok og kopier følgende (tekst med fed skrift) ind - og gem tekst-filen som CFScript.txt samme sted som du har ComboFix:

Killall::
Snapshot::
Folder::
c:\documents and settings\Ejer\Application Data\Steganos VPN
c:\programmer\AskBarDis
c:\programmer\Vuze
c:\documents and settings\Ejer\Application Data\Azureus

Træk CFScript filen over på ComboFix ikonet - det vil starte ComboFix igen (hvis computeren vil genstarte, så lad den gøre det). Se eventuelt her:
http://www.fromsej.saknet.dk/billeder/swfcombo.gif
Læg den nye ComboFix log herind.

Kom også med en frisk log fra HijackThis

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 12:41 #16

ComboFix 09-09-28.01 - Ejer 29-09-2009 12:27.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.1015.490 [GMT 2:00]
Kører fra: c:\documents and settings\Ejer\Skrivebord\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\Ejer\Skrivebord\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ejer\Application Data\Azureus
c:\documents and settings\Ejer\Application Data\Azureus\.certs
c:\documents and settings\Ejer\Application Data\Azureus\.keystore
c:\documents and settings\Ejer\Application Data\Azureus\.lock
c:\documents and settings\Ejer\Application Data\Azureus\active\cache.dat
c:\documents and settings\Ejer\Application Data\Azureus\azureus.config
c:\documents and settings\Ejer\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\azureus.statistics
c:\documents and settings\Ejer\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Ejer\Application Data\Azureus\banips.config
c:\documents and settings\Ejer\Application Data\Azureus\cnetworks.config
c:\documents and settings\Ejer\Application Data\Azureus\devices.config
c:\documents and settings\Ejer\Application Data\Azureus\devices.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Ejer\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Ejer\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Ejer\Application Data\Azureus\dht\general.dat
c:\documents and settings\Ejer\Application Data\Azureus\dht\version.dat
c:\documents and settings\Ejer\Application Data\Azureus\downloads.config
c:\documents and settings\Ejer\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\friends.config
c:\documents and settings\Ejer\Application Data\Azureus\friends.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Ejer\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\MetaSearch_2.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Ejer\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Ejer\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Ejer\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Ejer\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Ejer\Application Data\Azureus\metasearch.config
c:\documents and settings\Ejer\Application Data\Azureus\net\pm_3292.dat
c:\documents and settings\Ejer\Application Data\Azureus\net\pm_44034.dat
c:\documents and settings\Ejer\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Ejer\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Ejer\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Ejer\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\subs\24B8E9AC78200A71D3DA.vuze
c:\documents and settings\Ejer\Application Data\Azureus\tables.config
c:\documents and settings\Ejer\Application Data\Azureus\tables.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57654.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57655.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57656.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57657.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57658.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57659.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57660.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57661.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57662.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57663.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57664.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57665.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tmp\AZU57668.tmp
c:\documents and settings\Ejer\Application Data\Azureus\torrents\AZU24859.tmp
c:\documents and settings\Ejer\Application Data\Azureus\torrents\AZU59216.tmp
c:\documents and settings\Ejer\Application Data\Azureus\torrents\AZU7956.tmp
c:\documents and settings\Ejer\Application Data\Azureus\torrents\AZU8889.tmp
c:\documents and settings\Ejer\Application Data\Azureus\tracker.config
c:\documents and settings\Ejer\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Ejer\Application Data\Azureus\unsentdata.config
c:\documents and settings\Ejer\Application Data\Azureus\update.properties
c:\documents and settings\Ejer\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Ejer\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Ejer\Application Data\Steganos VPN
c:\documents and settings\Ejer\Application Data\Steganos VPN\EB76-9516-A7DC-B65D-2A3D-6F21-0EA7-805E.crt
c:\documents and settings\Ejer\Application Data\Steganos VPN\EB76-9516-A7DC-B65D-2A3D-6F21-0EA7-805E.key
c:\documents and settings\Ejer\Application Data\Steganos VPN\siavpn.crt
c:\programmer\AskBarDis
c:\programmer\AskBarDis\bar\Cache\0009766C
c:\programmer\AskBarDis\bar\Cache\00099464
c:\programmer\AskBarDis\bar\Cache\00099CB1.bin
c:\programmer\AskBarDis\bar\Cache\0009B1FE.bin
c:\programmer\AskBarDis\bar\Cache\0009B598.bin
c:\programmer\AskBarDis\bar\Cache\0009B922.bin
c:\programmer\AskBarDis\bar\Cache\0009BBD2.bin
c:\programmer\AskBarDis\bar\Cache\0009BEB0.bin
c:\programmer\AskBarDis\bar\Cache\0009C920.bin
c:\programmer\AskBarDis\bar\History\search
c:\programmer\AskBarDis\bar\Settings\config.dat
c:\programmer\AskBarDis\bar\Settings\config.dat.bak
c:\programmer\AskBarDis\bar\Settings\prevcfg.htm
c:\programmer\AskBarDis\unins000.dat
c:\programmer\Vuze
c:\programmer\Vuze\plugins\azemp\azemp_2.1.06.jar
c:\programmer\Vuze\plugins\azemp\azemp_2.1.06.zip
c:\programmer\Vuze\plugins\azemp\azmplay.exe.bak
c:\programmer\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\programmer\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\programmer\Vuze\plugins\azemp\font.desc.bak
c:\programmer\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\programmer\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\programmer\Vuze\plugins\azemp\plugin.properties_2.1.06
c:\programmer\Vuze\plugins\azupnpav\azupnpav_0.2.21.jar
c:\programmer\Vuze\plugins\azupnpav\azupnpav_0.2.21.zip
c:\programmer\Vuze\plugins\azupnpav\plugin.properties_0.2.21

.
((((((((((((((((((((((((((((( Filer skabt fra 2009-08-28 til 2009-09-29 )))))))))))))))))))))))))))))))))))
.

2009-09-28 11:19 . 2009-09-28 11:19 -------- d-----w- c:\programmer\Windows Defender
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\programmer\SUPERAntiSpyware
2009-09-28 07:45 . 2009-09-28 07:45 -------- d-----w- c:\documents and settings\Ejer\Application Data\SUPERAntiSpyware.com
2009-09-28 07:44 . 2009-09-28 07:44 -------- d-----w- c:\programmer\Fælles filer\Wise Installation Wizard
2009-09-27 16:10 . 2009-06-21 21:48 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-27 16:04 . 2009-09-27 16:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-27 15:57 . 2009-09-27 16:02 -------- d-----w- C:\Nsi.pending
2009-09-24 15:27 . 2009-09-27 16:02 -------- d-----w- C:\Media
2009-09-07 15:28 . 2009-09-27 16:04 -------- d-----w- c:\programmer\WSEX Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 11:19 . 2009-06-03 00:01 64952 ----a-w- c:\documents and settings\Ejer\Lokale indstillinger\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 19:02 . 2009-06-14 10:34 -------- d-----w- c:\programmer\Google
2009-09-27 16:30 . 2009-08-04 11:56 -------- d-----w- c:\programmer\Malwarebytes' Anti-Malware
2009-09-27 16:29 . 2009-08-05 15:50 -------- d-----w- c:\programmer\Action Poker
2009-09-27 16:20 . 2009-06-03 00:01 -------- d-----w- c:\programmer\Microsoft Silverlight
2009-09-27 16:03 . 2009-06-12 21:20 -------- d-----w- c:\programmer\Full Tilt Poker
2009-09-27 16:03 . 2009-06-02 23:13 -------- d--h--w- c:\programmer\InstallShield Installation Information
2009-09-27 16:02 . 2009-06-14 10:25 -------- d-----w- c:\programmer\PokerStars
2009-09-27 16:02 . 2009-08-13 10:30 -------- d-----w- c:\documents and settings\Ejer\Application Data\Poker4ever
2009-09-10 12:54 . 2009-08-04 11:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-08-04 11:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 21:07 . 2006-03-02 03:00 92046 ----a-w- c:\windows\system32\perfc006.dat
2009-08-27 21:07 . 2006-03-02 03:00 482312 ----a-w- c:\windows\system32\perfh006.dat
2009-08-27 11:54 . 2009-08-27 11:54 -------- d-----w- c:\documents and settings\Ejer\Application Data\Windows Search
2009-08-27 07:43 . 2009-08-27 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WebcamMax
2009-08-27 07:43 . 2009-08-27 07:41 -------- d-----w- c:\documents and settings\Ejer\Application Data\Webcammax
2009-08-27 07:41 . 2009-08-27 07:40 -------- d-----w- c:\programmer\WebcamMax
2009-08-16 20:49 . 2009-08-16 20:49 -------- d-----w- c:\documents and settings\Ejer\Application Data\Birdstep Technology
2009-08-16 20:47 . 2009-06-04 22:46 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-08-16 20:46 . 2009-08-16 20:46 -------- d-----w- c:\programmer\3
2009-08-16 20:42 . 2009-06-04 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-08-14 17:23 . 2009-08-13 20:53 -------- d-----w- c:\programmer\Mobile Partner
2009-08-05 09:00 . 2006-03-02 03:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 11:56 . 2009-08-04 11:56 -------- d-----w- c:\documents and settings\Ejer\Application Data\Malwarebytes
2009-08-04 11:56 . 2009-08-04 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 11:54 . 2009-08-04 11:54 -------- d-----w- c:\programmer\CCleaner
2009-07-17 19:03 . 2006-03-02 03:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2006-03-02 03:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:59 . 2006-03-02 03:00 915456 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmer\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\programmer\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"ShStatEXE"="c:\programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\programmer\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"LtMoh"="c:\programmer\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"EzButton"="c:\programmer\EzButton\EzButton.EXE" [2005-01-03 417792]
"Apoint"="c:\programmer\Apoint2K\Apoint.exe" [2003-06-18 151552]
"Google Quick Search Box"="c:\programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-14 68592]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\programmer\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Windows Defender"="c:\programmer\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2007-04-16 577536]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
Windows Search.lnk - c:\programmer\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmer\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmer\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmer\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Programmer\\B2BPOKER\\NoiQpoker\\jre\\bin\\javaw.exe"=

R1 SASDIFSV;SASDIFSV;c:\programmer\SUPERAntiSpyware\sasdifsv.sys [15-09-2009 11:42 9968]
R1 SASKUTIL;SASKUTIL;c:\programmer\SUPERAntiSpyware\SASKUTIL.SYS [15-09-2009 11:42 74480]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [27-08-2009 09:40 941784]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [16-08-2009 22:47 10240]
R2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [03-11-2006 19:19 13592]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-03-2009 16:28 1533808]
R3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\Silicon.sys [04-10-2004 12:02 22272]
R3 SASENUM;SASENUM;c:\programmer\SUPERAntiSpyware\SASENUM.SYS [15-09-2009 11:42 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'

2009-09-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmer\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-09-26 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-09-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
.
.
------- Yderligere scanning -------
.
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\programmer\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3912)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\programmer\McAfee\Common Framework\FrameworkService.exe
c:\programmer\McAfee\VirusScan Enterprise\Mcshield.exe
c:\programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\programmer\McAfee\Common Framework\naPrdMgr.exe
c:\programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\searchindexer.exe
c:\programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSVCM.EXE
c:\programmer\McAfee\Common Framework\Mctray.exe
c:\programmer\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Gennemført tid: 2009-09-29 12:37 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2009-09-29 10:37
ComboFix2.txt 2009-09-29 09:04

Pre-Kørsel: 50.594.156.544 byte ledig
Post-Kørsel: 50.551.922.688 byte ledig

287 --- E O F --- 2009-09-29 08:55

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 12:44 #17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:15, on 29-09-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\McAfee\Common Framework\FrameworkService.exe
C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Programmer\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ltmoh\Ltmoh.exe
C:\Programmer\EzButton\EzButton.EXE
C:\Programmer\Apoint2K\Apoint.exe
C:\Programmer\McAfee\Common Framework\McTray.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\Apoint2K\Apntex.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ejer\Skrivebord\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmer\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Hjælp til tilmelding til Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmer\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [EzButton] C:\Programmer\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Programmer\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmer\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Programmer\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programmer\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243982979218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programmer\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmer\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 6746 bytes

Det var begge logs.
Smider en log op lidt senere med min stationære.
Backdoor bot + lidt andet skidt jeg tror jeg fik fjernet, men altid godt med eksperternes eftersyn;-)

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 12:44 #18

Smider en log op lidt senere med min stationære.
Backdoor bot + lidt andet skidt jeg tror jeg fik fjernet, men altid godt med eksperternes eftersyn;-)
<<<<<<<<<<<<Mente selvfølgelig i en ny tråd..

Synes godt om

sullep Nybegynder

29. september 2009 - 13:23 #19

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe"

Du skal afinstaller SuperAntiSpware når du kører med "Defender".

Din log er ren

Klik på START derefter Kør

Skriv/kopier: Combofix /u i boxen, og klik OK.

Bemærk mellemrum mellem X og /U, det skal være der.

Ovennævnte procedure vil:
Slette følgende:
ComboFix og tilhørende filer og mapper.
Nulstille uret indstillinger.
Skjule filtypenavne, hvis det kræves.
Skjule System / Skjulte filer, hvis det kræves.

Du bør oprette et nyt gendannelsespunkt for at fjerne eventuelle infektioner fra et gammelt gendannelsespunkt.
Den nemmeste og sikreste måde at gøre dette på er:

Gå til Start> Alle programmer> Tilbehør> Systemværktøjer> Systemgendannelse
Vælg Opret et gendannelsespunkt, og tryk Ok.

Næste, skal du gå til Start> Kør og skriv cleanmgr
Vælg Flere indstillinger, fanen
Vælg Systemgendannelse - Ryd op og tryk OK.
Dette vil fjerne alle gendannelsespunkter, undtagen det nye du lige har oprettet.

God fornøjelse

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 14:01 #20

Mange tak for hjælpen;-)

Synes godt om

ATTACKED Nybegynder

29. september 2009 - 14:03 #21

Hvis du vil have de ekstra 80 points jeg ville give er du velkommen til at hapse dem her http://www.eksperten.dk/spm/887966

MVH

Synes godt om

Titel	Indlæg	Oprettet	Seneste aktivitet
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus	21	22/06/202419:22	23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus	23	07/05/202421:02	13/05/202419:48
trusler Af gerhardpet i Virus	4	26/01/202410:02	27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus	16	09/01/202416:37	10/01/202419:59
virusscanning Af JetteD i Virus	2	10/11/202312:55	10/11/202316:36

I dag 14:48	Microsoft Business - kan ikke logge ind Af Lasse i Office & Kontorpakker
I dag 05:32	Kan VPN hjælpe mig med at se Disney - Amazon betalt i Colombia, men bruge i DK? Af klavil i Andet software
I går 13:45	Udskrivningsproblemer Af Faxholm i PC
29/0717:36	støj fra bilradio når jeg oplader min telefon og hører musik via aux stikket Af ibnielsen i Mobiltelefoner
29/0708:58	Camera til usb > 30 Megapixel Af KurtG i Foto & video

Rootkit.TDSS + DNSChanger.t

Log ind eller opret profil

Hov!