Doorzoek het forum
Zoeken met Startpagina
Startpagina Thema's
erik-hjt
Hoi Mar,
Helaas kan ik dat niet meer zien,
Zijn er meer mensen die gebruik maken van deze PC ?
Groeten Erik
Goedenmiddag
Nee alleen ik en mijn vrouw
Als ik het goed begrijp moet ik de schijf van vista erin doen en zorgen dat de pc opstart op vanaf dvd en dan op herstellen klikken. Volgt het dan vanzelf
en als ik bootrec.exe/fixmbr in dialoog systeemherstel maar hoe kom ik in dat dialoogvenster.
en is het probleem dan verholpen.
kan ik dan gewoon weer op internet
alvast bedankt
Goedemorgen
Sorry erik dat ik een beetje als een enorme leek over kom.
Maar dit had ik nog niet gedaan.
Laat me weten of je hier wat aan heb.
Dat andere wat je schreef over de schijf heb ik nog niet gedaan. We gaan morgen een paar dagen weg dus dat wordt wat later.
Heel hartelijk bedankt dat u ons zover hebt geholpen want het lijkt me moeilijk om leken zoals wij wat aan het verstand te brengen en uit te laten voeren
gr man van mar
ComboFix 10-10-18.03 - hansenmarjo 19-10-2010 9:30.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.2047.1195
Gestart vanuit: c:\users\hansenmarjo\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\hansenmarjo\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Aanwezig AV is actief
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-09-19 to 2010-10-19 ))))))))))))))))))))))))))))))
.
2010-10-13 05:21 . 2010-09-13 13:56 8147456 —-a-w- c:\windows\system32\wmploc.DLL
2010-10-13 05:21 . 2010-09-13 13:56 168960 —-a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-13 05:21 . 2010-09-06 16:20 125952 —-a-w- c:\windows\system32\srvsvc.dll
2010-10-13 05:21 . 2010-09-06 13:45 304128 —-a-w- c:\windows\system32\drivers\srv.sys
2010-10-13 05:21 . 2010-09-06 13:45 145408 —-a-w- c:\windows\system32\drivers\srv2.sys
2010-10-13 05:21 . 2010-09-06 13:45 102400 —-a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-13 05:21 . 2010-09-06 16:19 17920 —-a-w- c:\windows\system32\netevent.dll
2010-10-13 05:21 . 2010-08-10 15:53 274944 —-a-w- c:\windows\system32\schannel.dll
2010-10-13 05:21 . 2010-06-28 17:00 1316864 —-a-w- c:\windows\system32\ole32.dll
2010-10-13 05:21 . 2010-06-28 14:54 339968 —-a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-13 05:21 . 2010-08-26 16:37 157184 —-a-w- c:\windows\system32\t2embed.dll
2010-10-11 18:34 . 2010-10-19 07:28 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Dropbox
2010-10-11 16:17 . 2010-10-15 11:36 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\QuickScan
2010-10-10 17:30 . 2010-10-10 17:31 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\PeaceCraft2
2010-10-03 16:57 . 2010-10-03 16:57 ——– d—–w- c:\programdata\HPSSUPPLY
2010-10-03 11:23 . 2010-10-03 11:24 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\ThreeDays2
2010-10-03 09:38 . 2006-11-29 11:06 3426072 —-a-w- c:\windows\system32\d3dx9_32.dll
2010-10-03 09:37 . 2010-10-03 09:37 ——– d—–w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-03 09:35 . 2008-06-17 14:13 74520 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DSETUP.dll
2010-10-03 09:35 . 2008-06-17 14:13 484632 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DXSETUP.exe
2010-10-03 09:35 . 2008-06-17 14:13 1670936 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\dsetup32.dll
2010-10-03 09:22 . 2009-04-20 10:23 315904 —-a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70w.dll
2010-10-03 09:17 . 2010-10-03 09:17 ——– d—–w- c:\programdata\HP Product Assistant
2010-10-03 09:10 . 2009-02-10 13:03 966656 —-a-w- c:\windows\system32\hpost_p02e.dll
2010-10-03 09:10 . 2009-02-10 13:03 315392 —-a-w- c:\windows\system32\hposc_p02a.dll
2010-10-03 09:10 . 2009-02-10 13:03 712704 —-a-w- c:\windows\system32\hposwia_p02e.dll
2010-10-03 09:10 . 2008-10-28 03:27 372736 —-a-w- c:\windows\system32\hppldcoi.dll
2010-10-03 09:10 . 2008-10-28 03:27 309760 —-a-w- c:\windows\system32\difxapi.dll
2010-10-03 09:10 . 2010-10-03 09:10 ——– d—–w- c:\users\hansenmarjo\{44d77c09-f5ba-441a-be33-08291b71fad0}
2010-10-03 09:10 . 2009-04-15 14:53 452408 —-a-w- c:\windows\system32\hpzids01.dll
2010-10-03 09:10 . 2009-04-20 10:23 123904 —-a-w- c:\windows\system32\hpf3l70w.dll
2010-09-29 05:09 . 2010-06-22 13:30 2048 —-a-w- c:\windows\system32\tzres.dll
2010-09-29 05:08 . 2010-08-26 04:23 13312 —-a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-27 09:00 . 2010-09-27 09:00 ——– d—–w- c:\users\hansenmarjo\.jordan
2010-09-23 11:04 . 2010-09-23 11:04 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Silverback Productions
2010-09-22 17:55 . 2010-09-22 17:55 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Enlightenus2_BFG
2010-09-22 16:10 . 2010-09-22 16:10 103864 —-a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Floodlight Games
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\programdata\Floodlight Games
2010-09-19 09:43 . 2010-09-19 09:43 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Princess Isabella CE
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
@=“{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{E08C1620-4257-4C84-923B-6F6715EF278F}”
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe”
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“msnmsgr”=“c:\program files\Windows Live\Messenger\msnmsgr.exe”
“WMPNSCFG”=“c:\program files\Windows Media Player\WMPNSCFG.exe”
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe”
“mcagent_exe”=“c:\program files\McAfee.com\Agent\mcagent.exe”
“hpqSRMon”=“c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe”
c:\users\hansenmarjo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe
“EnableLUA”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
@=“”
@=“”
@=“Service”
“Google Update”=“c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe” /c
“Adobe Reader Speed Launcher”=“e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe”
“HP Software Update”=c:\program files\HP\HP Software Update\HPWuSchd2.exe
“DisableMonitoring”=dword:00000001
2;2 jpcrvjjt;N-trig HID Tablet Monitor;c:\windows\System32\svchost.exe
R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Belkin\F5D7000v8\jswpsapi.exe
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys
S3 RTL85n86;Belkin Wireless G Notebook Card Service v8;c:\windows\system32\DRIVERS\RTL85n86.sys
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
— Andere Services/Drivers In Geheugen —
*NewlyCreated* - IPNAT
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
jpcrvjjt
.
Inhoud van de ‘Gedeelde Taken’ map
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000Core.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000UA.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-02-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{DC93F4AA-3005-4D9D-8078-F8C80332659F}.job
- c:\windows\system32\msfeedssync.exe
.
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://www.google.nl/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\users\hansenmarjo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: e:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
—- FIREFOX POLICIES —-
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgbaam7a8h”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgberp4a5d4ar”, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“dom.ipc.plugins.enabled”, false);
.
“ImagePath”=“System32\DRIVERS\rasacd.sy@”
.
——————— VERGRENDELDE REGISTER SLEUTELS ———————
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘Explorer.exe’(3616)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
Voltooingstijd: 2010-10-19 09:44:26
ComboFix-quarantined-files.txt 2010-10-19 07:44
ComboFix2.txt 2010-10-18 14:08
Pre-Run: 55.748.521.984 bytes beschikbaar
Post-Run: 55.507.386.368 bytes beschikbaar
- - End Of File - - 85D41949D09E37EC1CF31AB340C614D7
Er zijn weer een paar grapjassen teruggekomen ???
Open Kladblok, kopiëer en plak het volgende (vetgedrukte) in een leeg venster:
File::
c:\windows\system32\dloD562.dll
c:\windows\system32\dloD562.tmp
Netsvc::
jpcrvjjt
Registry::
@=“”
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe.
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord
PS:
Met van internet afblijven bedoel ik gedurende de tijd dat we bezig zijn met het oplossen van je probleem, ga niet lekker van alles op internet doen terwijl de Rootkit nog aanwezig is
Goedemiddag
Ik heb gedaan wat je vroeg hier het logje
gr man van mar
ComboFix 10-10-18.03 - hansenmarjo 19-10-2010 13:30:38.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.2047.1074
Gestart vanuit: c:\users\hansenmarjo\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\hansenmarjo\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Aanwezig AV is actief
FILE ::
“c:\windows\system32\dloD562.dll”
“c:\windows\system32\dloD562.tmp”
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dloD562.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Service_jpcrvjjt
(((((((((((((((((((( Bestanden Gemaakt van 2010-09-19 to 2010-10-19 ))))))))))))))))))))))))))))))
.
2010-10-19 11:39 . 2010-10-19 11:39 ——– d—–w- c:\users\Default\AppData\Local\temp
2010-10-18 14:05 . 2010-10-18 14:05 ——– d-sh–w- c:\windows\system32\%APPDATA%
2010-10-18 14:00 . 2010-10-19 11:43 ——– d—–w- c:\users\hansenmarjo\AppData\Local\temp
2010-10-13 05:21 . 2010-09-13 13:56 8147456 —-a-w- c:\windows\system32\wmploc.DLL
2010-10-13 05:21 . 2010-09-13 13:56 168960 —-a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-13 05:21 . 2010-09-06 16:20 125952 —-a-w- c:\windows\system32\srvsvc.dll
2010-10-13 05:21 . 2010-09-06 13:45 304128 —-a-w- c:\windows\system32\drivers\srv.sys
2010-10-13 05:21 . 2010-09-06 13:45 145408 —-a-w- c:\windows\system32\drivers\srv2.sys
2010-10-13 05:21 . 2010-09-06 13:45 102400 —-a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-13 05:21 . 2010-09-06 16:19 17920 —-a-w- c:\windows\system32\netevent.dll
2010-10-13 05:21 . 2010-08-10 15:53 274944 —-a-w- c:\windows\system32\schannel.dll
2010-10-13 05:21 . 2010-06-28 17:00 1316864 —-a-w- c:\windows\system32\ole32.dll
2010-10-13 05:21 . 2010-06-28 14:54 339968 —-a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-13 05:21 . 2010-08-26 16:37 157184 —-a-w- c:\windows\system32\t2embed.dll
2010-10-11 18:34 . 2010-10-19 11:42 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Dropbox
2010-10-11 16:17 . 2010-10-15 11:36 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\QuickScan
2010-10-10 17:30 . 2010-10-10 17:31 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\PeaceCraft2
2010-10-03 16:57 . 2010-10-03 16:57 ——– d—–w- c:\programdata\HPSSUPPLY
2010-10-03 11:23 . 2010-10-03 11:24 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\ThreeDays2
2010-10-03 09:38 . 2006-11-29 11:06 3426072 —-a-w- c:\windows\system32\d3dx9_32.dll
2010-10-03 09:37 . 2010-10-03 09:37 ——– d—–w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-03 09:35 . 2008-06-17 14:13 74520 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DSETUP.dll
2010-10-03 09:35 . 2008-06-17 14:13 484632 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DXSETUP.exe
2010-10-03 09:35 . 2008-06-17 14:13 1670936 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\dsetup32.dll
2010-10-03 09:22 . 2009-04-20 10:23 315904 —-a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70w.dll
2010-10-03 09:17 . 2010-10-03 09:17 ——– d—–w- c:\programdata\HP Product Assistant
2010-10-03 09:10 . 2009-02-10 13:03 966656 —-a-w- c:\windows\system32\hpost_p02e.dll
2010-10-03 09:10 . 2009-02-10 13:03 315392 —-a-w- c:\windows\system32\hposc_p02a.dll
2010-10-03 09:10 . 2009-02-10 13:03 712704 —-a-w- c:\windows\system32\hposwia_p02e.dll
2010-10-03 09:10 . 2008-10-28 03:27 372736 —-a-w- c:\windows\system32\hppldcoi.dll
2010-10-03 09:10 . 2008-10-28 03:27 309760 —-a-w- c:\windows\system32\difxapi.dll
2010-10-03 09:10 . 2010-10-03 09:10 ——– d—–w- c:\users\hansenmarjo\{44d77c09-f5ba-441a-be33-08291b71fad0}
2010-10-03 09:10 . 2009-04-15 14:53 452408 —-a-w- c:\windows\system32\hpzids01.dll
2010-10-03 09:10 . 2009-04-20 10:23 123904 —-a-w- c:\windows\system32\hpf3l70w.dll
2010-09-29 05:09 . 2010-06-22 13:30 2048 —-a-w- c:\windows\system32\tzres.dll
2010-09-29 05:08 . 2010-08-26 04:23 13312 —-a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-27 09:00 . 2010-09-27 09:00 ——– d—–w- c:\users\hansenmarjo\.jordan
2010-09-23 11:04 . 2010-09-23 11:04 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Silverback Productions
2010-09-22 17:55 . 2010-09-22 17:55 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Enlightenus2_BFG
2010-09-22 16:10 . 2010-09-22 16:10 103864 —-a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Floodlight Games
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\programdata\Floodlight Games
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
@=“{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{E08C1620-4257-4C84-923B-6F6715EF278F}”
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe”
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“msnmsgr”=“c:\program files\Windows Live\Messenger\msnmsgr.exe”
“WMPNSCFG”=“c:\program files\Windows Media Player\WMPNSCFG.exe”
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe”
“mcagent_exe”=“c:\program files\McAfee.com\Agent\mcagent.exe”
“hpqSRMon”=“c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe”
c:\users\hansenmarjo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe
“EnableLUA”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
@=“”
@=“”
@=“Service”
“Google Update”=“c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe” /c
“Adobe Reader Speed Launcher”=“e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe”
“HP Software Update”=c:\program files\HP\HP Software Update\HPWuSchd2.exe
“DisableMonitoring”=dword:00000001
R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Belkin\F5D7000v8\jswpsapi.exe
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys
S3 RTL85n86;Belkin Wireless G Notebook Card Service v8;c:\windows\system32\DRIVERS\RTL85n86.sys
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de ‘Gedeelde Taken’ map
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000Core.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000UA.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-02-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{DC93F4AA-3005-4D9D-8078-F8C80332659F}.job
- c:\windows\system32\msfeedssync.exe
.
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://www.google.nl/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\users\hansenmarjo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: e:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
—- FIREFOX POLICIES —-
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgbaam7a8h”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgberp4a5d4ar”, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“dom.ipc.plugins.enabled”, false);
.
“ImagePath”=“System32\DRIVERS\rasacd.sy@”
.
——————— VERGRENDELDE REGISTER SLEUTELS ———————
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘winlogon.exe’(740)
c:\windows\system32\dlod562.dll
- - - - - - - > ‘Explorer.exe’(5752)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
———————— Andere Aktieve Processen ————————
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\conime.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
.
**************************************************************************
.
Voltooingstijd: 2010-10-19 13:46:49 - machine werd herstart
ComboFix-quarantined-files.txt 2010-10-19 11:46
ComboFix2.txt 2010-10-19 07:44
ComboFix3.txt 2010-10-18 14:08
Pre-Run: 55.677.227.008 bytes beschikbaar
Post-Run: 55.538.061.312 bytes beschikbaar
- - End Of File - - 65FEBBD5077E652386FDB0B6D0381A49
Hij blijft terug komen.
Eens even op een andere manier kijken:
Download Gmer Rootkitscanner: naar het bureaublad. (Windows NT/W2K/XP/VISTA !!)
Het bestand dat je gaat downloaden bestaat uit een willekeurig gekozen combinatie van cijfers en letters. (vb jqb1jln3.exe of ubmp5cd5.exe steeds een combinatie van 8 cijfers en letters)
Dubbelklik op dit "bestand" om Gmer te starten.
Krijg je een melding dat er rootkits actief zijn en er wordt gevraagd om een scan uit te voeren, dan sta je dit niet toe.
Aan de rechterkant heb je een aantal opties die je kan uit- of aanvinken.
Standaard staat alles aangevinkt, dit laat je zo.
Onder Files moet enkel de systeempartitie aangevinkt zijn. ( De systeempartitie is die partitie waarop je windows geïnstalleerd is, meestal C:\.)
Haal het vinkje weg bij “IAT/EAT” en "show all" ( dit laatste mag niet aangevinkt zijn! )
Klik nu op de "Scan" knop om de rootkitscan met Gmer te starten. Dit kan enige tijd duren.
Als de scan klaar is klik je op de knop "Save" en sla je het logje op als ark.txt op je bureaublad.
(Klik je op knop "Copy", dan wordt de volledige rapportje van de log naar het klembord gekopieerd en kan je via CTRL+V in je post plakken. )
Om Gmer te sluiten, klik je op de knop "Cancel".
Indien je problemen hebt om Gmer uit te voeren, meldt dit dan bij het posten van de logjes.
Goedenavond
Ik heb gedaan wat u schreef maar kan het log niet plaatsen. Dit was de melding Je berichttekst is te lang. Kort deze alstublieft in.
Ik kon klembord niet copyeren
http://shell.windows.com/fileassoc/0413/xml/redir.asp?EXT=pl
Op deze pagina stond waarom niet
Hoe kan ik het logje nu plaatsen
bedankt nogmaals
Goedemiddag
Is het zo handig in 2 delen
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-19 17:44:51
Windows 6.0.6002 Service Pack 2
Running: kzr7pqci.exe; Driver: C:\Users\HANSEN~1\AppData\Local\Temp\pwroypoc.sys
—- System - GMER 1.0.15 —-
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
—- Kernel code sections - GMER 1.0.15 —-
.text ntoskrnl.exe!ZwYieldExecution 8206CC0E 5 Bytes JMP 8DA7E7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8220257C 5 Bytes JMP 8DA7E714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8220F88D 5 Bytes JMP 8DA7E823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8223640C 7 Bytes JMP 8DA7E7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 82243510 5 Bytes JMP 8DA7E7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 82243899 7 Bytes JMP 8DA7E7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8224E0EC 5 Bytes JMP 8DA7E7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8224E99A 5 Bytes JMP 8DA7E77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8225304F 5 Bytes JMP 8DA7E80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 82257317 5 Bytes JMP 8DA7E728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateUserProcess 822659D5 5 Bytes JMP 8DA7E766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 82283372 5 Bytes JMP 8DA7E837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 82284576 5 Bytes JMP 8DA7E84B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 822C293F 5 Bytes JMP 8DA7E73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 822C298A 7 Bytes JMP 8DA7E750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 822C3443 5 Bytes JMP 8DA7E78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
—- User code sections - GMER 1.0.15 —-
.text C:\Windows\system32\services.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 0013008C
.text C:\Windows\system32\services.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 00130F46
.text C:\Windows\system32\services.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 00130F13
.text C:\Windows\system32\services.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 00130F24
.text C:\Windows\system32\services.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 00130056
.text C:\Windows\system32\services.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 00130014
.text C:\Windows\system32\services.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 00130025
.text C:\Windows\system32\services.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 00130F57
.text C:\Windows\system32\services.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 00130F7C
.text C:\Windows\system32\services.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 00130FA8
.text C:\Windows\system32\services.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 00130F8D
.text C:\Windows\system32\services.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 00130FB9
.text C:\Windows\system32\services.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 00130067
.text C:\Windows\system32\services.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 001300C5
.text C:\Windows\system32\services.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 00130FD4
.text C:\Windows\system32\services.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 00130FEF
.text C:\Windows\system32\services.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 00130F35
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 008B0F9E
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 008B0FAF
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 008B0036
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 008B005B
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 008B0FCA
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 008B0000
.text C:\Windows\system32\services.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 008B001B
.text C:\Windows\system32\services.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 00940F8B
.text C:\Windows\system32\services.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 00940FA6
.text C:\Windows\system32\services.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 00940FC1
.text C:\Windows\system32\services.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 00940FE3
.text C:\Windows\system32\services.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00940016
.text C:\Windows\system32\services.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 00940FD2
.text C:\Windows\system32\services.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 00140000
.text C:\Windows\system32\lsass.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 001A0F5C
.text C:\Windows\system32\lsass.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 001A00A2
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 001A00C7
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 001A0F30
.text C:\Windows\system32\lsass.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 001A0F8F
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 001A001B
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 001A002C
.text C:\Windows\system32\lsass.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 001A0F6D
.text C:\Windows\system32\lsass.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 001A0073
.text C:\Windows\system32\lsass.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 001A0047
.text C:\Windows\system32\lsass.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 001A0062
.text C:\Windows\system32\lsass.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 001A0FC0
.text C:\Windows\system32\lsass.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 001A0F7E
.text C:\Windows\system32\lsass.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 001A00E2
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 001A0000
.text C:\Windows\system32\lsass.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\lsass.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 001A0F41
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 001C0047
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 001C001B
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 001C002C
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 001C0062
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 001C000A
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 001C0FCA
.text C:\Windows\system32\lsass.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 001C0FB9
.text C:\Windows\system32\lsass.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 00820F8B
.text C:\Windows\system32\lsass.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 00820F9C
.text C:\Windows\system32\lsass.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 0082000C
.text C:\Windows\system32\lsass.exe msvcrt.dll!_open
.text C:\Windows\system32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 00E80038
.text C:\Windows\system32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 00E80000
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00E80049
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 00E80011
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 00E30F94
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 00E30025
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 00E30FEF
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 00E30036
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 00E30F83
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 00E30FB9
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 00E30FDE
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 00E30014
.text C:\Windows\system32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 00D90FE5
.text C:\Windows\system32\svchost.exe WININET.dll!InternetOpenA 7721D690 5 Bytes JMP 00F30FEF
.text C:\Windows\system32\svchost.exe WININET.dll!InternetOpenW 7721DB09 5 Bytes JMP 00F30FDE
.text C:\Windows\system32\svchost.exe WININET.dll!InternetOpenUrlA 7721F3A4 5 Bytes JMP 00F30FCD
.text C:\Windows\system32\svchost.exe WININET.dll!InternetOpenUrlW 77266D5F 5 Bytes JMP 00F3001E
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 002D00D0
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 002D0F80
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 002D00FC
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 002D00EB
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 002D0FB6
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 002D002C
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 002D0FDB
.text C:\Windows\system32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 002D00B5
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 002D008E
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 002D0062
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 002D0073
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 002D0047
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 002D0FA5
.text C:\Windows\system32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 002D010D
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 002D0011
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 002D0F6F
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 0050006E
.text C:\Windows\system32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 00500FE3
.text C:\Windows\system32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 0050002E
.text C:\Windows\system32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 00500000
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00500053
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 0050001D
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 002E0040
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 002E0025
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 002E0FE5
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 002E0F9E
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 002E0F8D
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 002E0FCA
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 002E0FB9
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 00520091
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 00520F4B
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 005200B3
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 005200A2
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 00520F81
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 00520025
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 00520036
.text C:\Windows\system32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 00520F66
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 00520F9E
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 0052005B
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 00520FAF
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 00520FD4
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 00520080
.text C:\Windows\system32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 005200CE
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 00520FEF
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 00520000
.text C:\Windows\system32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 00520F26
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 005E002A
.text C:\Windows\system32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 005E0F9F
.text C:\Windows\system32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 005E0FC1
.text C:\Windows\system32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 005E0FEF
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 005E0FB0
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 005E0FD2
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 00580F94
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 0058002C
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 00580FEF
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 00580FAF
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 00580F83
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 00580FCA
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 0058001B
.text C:\Windows\system32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 00530FEF
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 0190007D
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 0190006C
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 01900F01
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 01900F1C
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 01900F66
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 01900FC3
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 01900FA8
.text C:\Windows\system32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 01900051
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 01900040
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 01900014
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 0190002F
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 01900F8D
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 01900F41
.text C:\Windows\system32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 019000BD
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 01900FD4
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 01900FEF
.text C:\Windows\system32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 019000A2
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 01970F9A
.text C:\Windows\system32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 01970FAB
.text C:\Windows\system32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 01970FC6
.text C:\Windows\system32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 01970000
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 0197001B
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 01970FE3
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 01920051
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 01920FB9
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 01920FEF
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 01920040
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 01920F9E
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 0192001B
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 0192000A
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 01920FCA
.text C:\Windows\system32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 01910FEF
.text C:\Windows\Explorer.EXE ntdll.dll!DbgBreakPoint 77C38B2E 1 Byte
.text C:\Windows\Explorer.EXE ntdll.dll!DbgUiRemoteBreakin 77C7C964 5 Bytes JMP 77C2B5C1 C:\Windows\system32\ntdll.dll (DLL-bestand voor NT-laag/Microsoft Corporation)
.text C:\Windows\Explorer.EXE kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 0445007D
.text C:\Windows\Explorer.EXE kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 04450F37
.text C:\Windows\Explorer.EXE kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 04450EE6
.text C:\Windows\Explorer.EXE kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 04450EF7
.text C:\Windows\Explorer.EXE kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 04450F88
.text C:\Windows\Explorer.EXE kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 04450FE5
.text C:\Windows\Explorer.EXE kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 0445002C
.text C:\Windows\Explorer.EXE kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 04450F48
.text C:\Windows\Explorer.EXE kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 04450062
.text C:\Windows\Explorer.EXE kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 04450FC0
.text C:\Windows\Explorer.EXE kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 04450FA5
.text C:\Windows\Explorer.EXE kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 04450047
.text C:\Windows\Explorer.EXE kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 04450F63
.text C:\Windows\Explorer.EXE kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 04450ECB
.text C:\Windows\Explorer.EXE kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 0445001B
.text C:\Windows\Explorer.EXE kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 04450000
.text C:\Windows\Explorer.EXE kernel32.dll!WinExec 77405CF7 5 Bytes JMP 04450F12
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 045D0069
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 045D0047
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 045D0000
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 045D0058
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 045D0FAC
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 045D001B
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 045D0FE5
.text C:\Windows\Explorer.EXE ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 045D0036
.text C:\Windows\Explorer.EXE msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 046F0FAD
.text C:\Windows\Explorer.EXE msvcrt.dll!system 77DA804B 5 Bytes JMP 046F0FBE
.text C:\Windows\Explorer.EXE msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 046F0FE3
.text C:\Windows\Explorer.EXE msvcrt.dll!_open 77DAD106 5 Bytes JMP 046F0000
.text C:\Windows\Explorer.EXE msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 046F0038
.text C:\Windows\Explorer.EXE msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 046F001D
.text C:\Windows\Explorer.EXE WS2_32.dll!socket 777636D1 5 Bytes JMP 045C0000
.text C:\Windows\Explorer.EXE WININET.dll!InternetOpenA 7721D690 5 Bytes JMP 04320000
.text C:\Windows\Explorer.EXE WININET.dll!InternetOpenW 7721DB09 5 Bytes JMP 0432001B
.text C:\Windows\Explorer.EXE WININET.dll!InternetOpenUrlA 7721F3A4 5 Bytes JMP 04320FE5
.text C:\Windows\Explorer.EXE WININET.dll!InternetOpenUrlW 77266D5F 5 Bytes JMP 04320FD4
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 002300F7
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 002300E6
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 00230F82
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 00230119
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 00230095
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 0023002C
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 00230FDB
.text C:\Windows\System32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 002300C1
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 00230084
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 00230058
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 00230073
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 00230047
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 002300B0
.text C:\Windows\System32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 00230F67
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 0023001B
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 00230000
.text C:\Windows\System32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 00230108
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 00260F89
.text C:\Windows\System32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 0026000A
.text C:\Windows\System32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 00260FB5
.text C:\Windows\System32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 00260FEF
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00260FA4
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 00260FD2
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 00250F94
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 00250FAF
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 00250000
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 00250036
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 0025005B
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 0025001B
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 00250FE5
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 00250FC0
.text C:\Windows\System32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 0024000A
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 001B0082
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 001B0071
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 001B00BF
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 001B00A4
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 001B0F72
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 001B0FD4
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 001B0FB9
.text C:\Windows\System32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 001B0F46
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 001B0040
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 001B0F9E
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 001B0F8D
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 001B0025
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 001B0F57
.text C:\Windows\System32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 001B00D0
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 001B000A
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 001B0FEF
.text C:\Windows\System32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 001B0093
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 004B002C
.text C:\Windows\System32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 004B001B
.text C:\Windows\System32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 004B0FC6
.text C:\Windows\System32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 004B0FE3
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 004B0FAB
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 004B0000
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 003A0051
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 003A0FB9
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 003A000A
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 003A0040
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 003A0F94
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 003A001B
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 003A0FEF
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 003A0FCA
.text C:\Windows\System32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 005A0F5E
.text C:\Windows\system32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 005A00A4
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 005A00D3
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 005A0F3C
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 005A0053
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 005A0000
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 005A0FB9
.text C:\Windows\system32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 005A0093
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 005A0F79
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 005A0F94
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 005A0036
.text C:\Windows\system32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 005A0025
.text C:\Windows\system32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 005A0078
.text C:\Windows\system32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 005A00EE
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 005A0FCA
.text C:\Windows\system32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 005A0FE5
.text C:\Windows\system32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 005A0F4D
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 00A20F95
.text C:\Windows\system32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 00A20FA6
.text C:\Windows\system32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 00A20016
.text C:\Windows\system32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00A20FC1
.text C:\Windows\system32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 00A20FD2
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 005C0051
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 005C0FAF
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 005C0000
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyW 7793391E 5 Bytes JMP 005C0036
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegCreateKeyExW 779341F1 5 Bytes JMP 005C0F94
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExA 77937C42 5 Bytes JMP 005C0FD4
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyW 7793E2B5 5 Bytes JMP 005C0FE5
.text C:\Windows\system32\svchost.exe ADVAPI32.dll!RegOpenKeyExW 77947BA1 5 Bytes JMP 005C0025
.text C:\Windows\system32\svchost.exe WS2_32.dll!socket 777636D1 5 Bytes JMP 005B0000
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoW 77371929 5 Bytes JMP 000500B8
.text C:\Windows\System32\svchost.exe kernel32.dll!GetStartupInfoA 773719C9 5 Bytes JMP 0005009D
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessW 77371BF3 5 Bytes JMP 00050F39
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateProcessA 77371C28 5 Bytes JMP 000500DA
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtect 77371DC3 5 Bytes JMP 00050F7C
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeA 77372EF5 5 Bytes JMP 00050FD4
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateNamedPipeW 77375C0C 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe kernel32.dll!CreatePipe 77398E6E 5 Bytes JMP 0005008C
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExW 77399109 5 Bytes JMP 0005004A
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryW 77399362 5 Bytes JMP 00050F9E
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryExA 773994B4 5 Bytes JMP 00050F8D
.text C:\Windows\System32\svchost.exe kernel32.dll!LoadLibraryA 773994DC 5 Bytes JMP 00050FAF
.text C:\Windows\System32\svchost.exe kernel32.dll!VirtualProtectEx 7739DBDA 5 Bytes JMP 00050071
.text C:\Windows\System32\svchost.exe kernel32.dll!GetProcAddress 773B903B 5 Bytes JMP 00050F28
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileW 773BAECB 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe kernel32.dll!CreateFileA 773BCE5F 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe kernel32.dll!WinExec 77405CF7 5 Bytes JMP 000500C9
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wsystem 77DA7F2F 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe msvcrt.dll!system 77DA804B 5 Bytes JMP 00070055
.text C:\Windows\System32\svchost.exe msvcrt.dll!_creat 77DABBE1 5 Bytes JMP 00070033
.text C:\Windows\System32\svchost.exe msvcrt.dll!_open 77DAD106 5 Bytes JMP 0007000C
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wcreat 77DAD326 5 Bytes JMP 00070044
.text C:\Windows\System32\svchost.exe msvcrt.dll!_wopen 77DAD501 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyExA 779239AB 5 Bytes JMP 00060F79
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyA 77923BA9 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegOpenKeyA 779289C7 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe ADVAPI32.dll!RegCreateKeyW
