Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Root Kit and hidden files


  • This topic is locked This topic is locked
138 replies to this topic

#1 Annie12

Annie12

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 03 May 2012 - 11:40 PM

Hi, I came over from here http://www.bleepingcomputer.com/forums/topic452146.html/page__st__15
and am posting here because it was requested. The DDS Report is below and GMER is still running. Do you want that report here when it completes? I am posting from a non infected computer, thanks in advance for the help.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.0
Run by Connie's at 22:47:28 on 2012-05-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.420 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre7\bin\jqs.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.toshiba.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120119064203.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Microsoft] rundll32.exe "c:\documents and settings\connie's\local settings\application data\microsoft\brlwuvwb.dll",m4OutVideoUpdateSettings
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TFncKy] TFncKy.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{502565AC-A946-4903-A07B-88AFFD3826B3} : DhcpNameServer = 192.168.15.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-11 475704]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-10-11 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-27 654408]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-1-17 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-1-17 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-1-17 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-1-17 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-1-17 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-1-17 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-11 159608]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-10-10 196912]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-11-14 245760]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-11 57600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-27 22344]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-11 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-11 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-11 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-10-11 83856]
S2 avgtdi;PID_PEPI;c:\windows\system32\svchost.exe -k netsvcs [2005-11-4 14336]
S2 pavfnsvr;Tlntsvr;c:\windows\system32\svchost.exe -k netsvcs [2005-11-4 14336]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-10-11 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-11 87656]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2010-11-19 157024]
.
=============== Created Last 30 ================
.
2012-05-04 02:47:25 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 02:47:24 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-03 22:13:02 -------- d-sh--w- c:\documents and settings\connie's\UserData
2012-05-03 17:19:03 89088 ----a-w- C:\mbr.exe
2012-05-02 20:33:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-02 01:56:34 -------- d-----w- C:\Microsoft
2012-05-01 16:27:10 -------- d-----w- c:\program files\WiseFixer
2012-04-28 22:27:58 -------- d--h--w- c:\windows\PIF
2012-04-28 00:37:46 -------- d-----w- c:\program files\stinger
2012-04-27 14:25:16 625710 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-27 14:08:04 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-04-27 12:52:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-27 12:52:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-04-27 12:19:14 -------- d-----w- c:\documents and settings\connie's\application data\Malwarebytes
2012-04-27 11:35:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 11:35:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 11:35:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-26 22:15:53 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-26 22:15:40 75127 ----a-w- c:\windows\system32\1f256bac.exe
2012-04-16 02:45:27 -------- d-----w- c:\program files\Sony
2012-04-16 02:45:06 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2012-04-16 02:45:06 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2012-04-16 02:41:33 -------- d-----w- c:\documents and settings\all users\application data\Sony Corporation
2012-04-07 13:52:36 1409 ----a-w- c:\windows\QTFont.for
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-05-04 02:46:51 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-28 00:38:44 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-04-28 00:38:44 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-04-28 00:38:44 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-04-16 02:45:03 125424 ------w- c:\windows\system32\pxinsi64.exe
2012-04-16 02:44:58 45200 ------w- c:\windows\system32\drivers\pxhelp20.sys
2012-04-16 02:44:58 123888 ------w- c:\windows\system32\pxcpyi64.exe
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 22:48:27.89 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 12:05 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 12:16 AM

Hi Gringo, thanks for the fast response, my computer is still running GMER and I will need to do the backup so it will probably be sometime tomorrow before I post anything. Thanks for the help, I will be in touch.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 12:35 AM

No problem and see you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 06:38 AM

Hi Gringo, GMER report completed and here it is...I will still have to backup my files. I do need to get a little more sleep, lol. I will connect later this afternnon. Thanks for your help


GMER REPORT

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-04 06:24:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160412ASG rev.0004SDM1
Running: gmer.exe; Driver: C:\DOCUME~1\Connie's\LOCALS~1\Temp\pxldqpog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF76B52A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF76B52B4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF76B52E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF76B5336]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF76B528C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF76B5264]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF76B5278]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF76B52CA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF76B530C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF76B52F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF76B5360]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF76B534C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF76B5320]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB9D24EBF]
? C:\DOCUME~1\Connie's\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 026B0FEF
.text C:\WINDOWS\System32\svchost.exe[140] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 026B0FD4
.text C:\WINDOWS\System32\svchost.exe[140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 026B000A
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03B30000
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03B300A1
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03B30090
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03B30073
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03B30FB6
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03B30047
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03B30F80
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03B300C8
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03B30F54
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03B30F6F
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03B30F43
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03B30058
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03B30011
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03B30F9B
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03B30FE5
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03B30036
.text C:\WINDOWS\System32\svchost.exe[140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03B300ED
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03B2001B
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03B20087
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03B20FCA
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03B20FDB
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03B20076
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03B20000
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03B2005B
.text C:\WINDOWS\System32\svchost.exe[140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03B20036
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03B10FA3
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!system 77C293C7 5 Bytes JMP 03B10FBE
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03B10038
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03B10000
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03B10FD9
.text C:\WINDOWS\System32\svchost.exe[140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03B1001D
.text C:\WINDOWS\System32\svchost.exe[140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03440FEF
.text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 02EA0FEF
.text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 02EA0FCA
.text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 02EA0000
.text C:\WINDOWS\System32\svchost.exe[140] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 02EA0FAF
.text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00750011
.text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007900AB
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0079009A
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0079007D
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790062
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00790051
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007900C8
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F80
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790F4A
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790F6F
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790F39
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00790FCA
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790F9B
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790040
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007900ED
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780F94
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0078005B
.text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770F7F
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770F9A
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770FB5
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FE3
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FD2
.text C:\WINDOWS\system32\svchost.exe[636] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F5C
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F2E
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0076
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00B6
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE009B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00C7
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F1D
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC004E
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0033
.text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC000C
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\Explorer.EXE[1044] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01490000
.text C:\WINDOWS\Explorer.EXE[1044] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01490FE5
.text C:\WINDOWS\Explorer.EXE[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0149001B
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01790000
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0179008E
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01790F99
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 01790073
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [84]
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01790FB6
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01790051
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017900D5
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017900C4
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01790F68
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01790101
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01790F4D
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01790062
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01790011
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017900A9
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01790FDB
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01790022
.text C:\WINDOWS\Explorer.EXE[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017900F0
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01770FB9
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0177004A
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01770FCA
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01770FDB
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01770F8D
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01770000
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01770025
.text C:\WINDOWS\Explorer.EXE[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01770FA8
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014C0F86
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 014C0F97
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014C0000
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014C0FEF
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014C0011
.text C:\WINDOWS\Explorer.EXE[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014C0FD2
.text C:\WINDOWS\Explorer.EXE[1044] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 014A0FE5
.text C:\WINDOWS\Explorer.EXE[1044] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 014A0000
.text C:\WINDOWS\Explorer.EXE[1044] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 014A0011
.text C:\WINDOWS\Explorer.EXE[1044] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 014A0022
.text C:\WINDOWS\Explorer.EXE[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014B000A
.text C:\WINDOWS\system32\services.exe[1588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00740F68
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00740F83
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00740051
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00740F94
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00740025
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0074009D
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00740082
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007400DD
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00740F3A
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007400EE
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00740036
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00740FD4
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00740F57
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00740014
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00740FC3
.text C:\WINDOWS\system32\services.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007400AE
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F6F
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD1
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F64
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F7F
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FB5
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060F90
.text C:\WINDOWS\system32\services.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FC6
.text C:\WINDOWS\system32\services.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\lsass.exe[1600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\lsass.exe[1600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC0FDB
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F6B
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F86
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F97
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90FA8
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9002F
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F3D
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F5A
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900C5
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F2C
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F11
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90085
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FC3
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\lsass.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900A0
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0F8A
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0FA5
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\system32\lsass.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0036
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0042
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0027
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\lsass.exe[1600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\lsass.exe[1600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0FEF
.text C:\Program Files\Messenger\msmsgs.exe[1604] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EF0000
.text C:\Program Files\Messenger\msmsgs.exe[1604] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EF0FCA
.text C:\Program Files\Messenger\msmsgs.exe[1604] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EF0FDB
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FE5
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F3A
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F4B
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90F72
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90F8D
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F9001B
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F18
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90054
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90EEC
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F9007B
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90096
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90F9E
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90FD4
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90F29
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F9000A
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FC3
.text C:\Program Files\Messenger\msmsgs.exe[1604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F07
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70F8B
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70F9C
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FC1
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F7000C
.text C:\Program Files\Messenger\msmsgs.exe[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FD2
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FC3
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F8004A
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FD4
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80000
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80F8D
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80FEF
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FA8
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\Program Files\Messenger\msmsgs.exe[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F8002F
.text C:\Program Files\Messenger\msmsgs.exe[1604] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FE5
.text C:\Program Files\Messenger\msmsgs.exe[1604] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[1604] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00F50000
.text C:\Program Files\Messenger\msmsgs.exe[1604] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00F50FCA
.text C:\Program Files\Messenger\msmsgs.exe[1604] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AC000A
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90FB6
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F9009A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90073
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F6A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F900BC
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90F4F
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900E8
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90F3E
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90062
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F900AB
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F900D7
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0036
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0FA8
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0FB9
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0FCA
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF005B
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0042
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FB7
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0FD9
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FC8
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE001D
.text C:\WINDOWS\system32\svchost.exe[1768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02920FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02920FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02920FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 037C0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 037C0054
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 037C0F5F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 037C0039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 037C0F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 037C0F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037C0080
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037C0F38
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037C00BD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037C00AC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037C0F09
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 037C0F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 037C0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 037C006F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 037C0FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 037C0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 037C009B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037B000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037B0051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037B0FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037B0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037B0036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037B0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037B0F94
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 8B]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037B001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 037A0FA4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 037A0FB5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 037A000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 037A0FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 037A001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 037A0FC6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 03780000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 03780011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 03780022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 03780FD1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1784] ws2_32.dll!socket 71AB4211 5 Bytes JMP 03790000
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B7005E
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B70F69
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70F86
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B70F97
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B70FB2
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B70F2C
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B70F3D
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B700BE
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70099
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B700D9
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B70039
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B70F4E
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B70014
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B70FCD
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B70F1B
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30047
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30014
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30F9E
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20056
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20031
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FD2
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FC1
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\svchost.exe[1864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[2280] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[2280] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[2280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F74
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0069
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF009A
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F52
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F2D
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00C6
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00EB
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F63
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[2280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00AB
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F8A
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930FB5
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FD7
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FC6
.text C:\WINDOWS\system32\svchost.exe[2280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[2280] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[2280] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00910FDB
.text C:\WINDOWS\system32\svchost.exe[2280] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[2280] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00910FA5
.text C:\WINDOWS\system32\svchost.exe[2280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0092000A
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[3236] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[3236] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C20014
.text C:\WINDOWS\system32\svchost.exe[3236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C5007A
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50069
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50058
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50047
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F59
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C500AB
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C500BC
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F23
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C500D7
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F74
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[3236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F48
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C40051
.text C:\WINDOWS\system32\svchost.exe[3236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30064
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30053
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3001D
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30038
.text C:\WINDOWS\system32\svchost.exe[3236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB39658$\150114840 0 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\cfg.ini 300 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\L 0 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\L\akpnrerf 456320 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\oemid 50 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U 0 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB39658$\150114840\version 1271 bytes
File C:\WINDOWS\$NtUninstallKB39658$\4262713361 0 bytes

---- EOF - GMER 1.0.15 ----

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 07:16 AM

thank you for the report and I will see you later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 07:05 PM

Gringo, I have a problem. I have been all over my town and points beyond looking for an external hard drive so I could back up my computer and there are none available for less than 500GB. I already have one of those with over 400GB left available and it was affected by the viruses and malwares that attached themselves to my computer. My files on that were also hidden so I don't know if my external HD is still affected.

I ran a flash disinfector by request of Boopme on the other thread (before I was directed to post here) but I am not sure it actually worked or not. How do I know, and would it be safe to backup my files and documents to that drive?

This is what I had posted over there as to the condition of my flash drive after using the disinfector

Cleaned the flashdrive and my external hard drive

Downloaded Flash_Disinfector.exe
Rebooted my computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf
Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

How can I see this folder, I didn't see anything on the flash drive(I didn't check the external hard so wondered if the cleaning actually worked?

So, I still have no backup and don't know what direction I should take to do that. Thanks for your help.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 08:21 PM

Hello


- Open a Windows Explorer... You can do so by opening "My Computer"
- in the menu bar at the top of the windows explorer you will find a "Tools" option.
- In the tools option click "Folder Options"
- click on the second tab "View"
- Check the choice "Show hidden files and folders"
- Click "Apply", then "Ok"


now when you plug in the usb you should see any hidden files - even the one your looking for


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 08:49 PM

Hi Gringo,

I did what you instructed, when I open the external HD the folders are subdued in color and when I right click an individual folder and and the general tab shows under Attributes two choices
Read Only
Hidden

Each folder is checkmarked Hidden and I can unhide them and they appear correctly after this.

So, I don't see an autorun folder at all and my files are still hidden.

How do I unhide all of my files by using the instructions below. It doesn't seem to be working.

Open a Windows Explorer... You can do so by opening "My Computer"
- in the menu bar at the top of the windows explorer you will find a "Tools" option.
- In the tools option click "Folder Options"
- click on the second tab "View"
- Check the choice "Show hidden files and folders"
- Click "Apply", then "Ok"

Edited by Annie12, 04 May 2012 - 08:49 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 09:00 PM

Hello Annie

How can I see this folder, I didn't see anything on the flash drive(I didn't check the external hard so wondered if the cleaning actually worked?

this is what you were looking for


I want you to run this while the harddrive is connected -
http://download.bleepingcomputer.com/grinler/unhide.exe


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 09:03 PM

Thanks I will do this step

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 09:24 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 09:51 PM

Hi Gringo, I completed the unhide program and it looks like I got everything back except my desktop screensaver although the report says it fixed the desktop. I see all of my files in C: and in my external Hard Drive as well as my drivers are back and my MS Office Pro 2003 is back too.
Yay :clapping:

Sadly, I do not see a autorun folder on either of my external hard drive or my flash drive so I don't think the Flash Disinfect worked and I hope the rootkit didn't sink itself inside. So, do I run the Flash Disinfect again?


Below is the report from Unhide

The E: drive is my External Hard Drive and the F: drive is the flash drive

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 05/04/2012 09:05:31 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 123921 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 60838 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 2366 files processed.

Restoring the Start Menu.
* 163 Shortcuts and Desktop items were restored.


Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoDesktop policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 05/04/2012 09:16:13 PM
Execution time: 0 hours(s), 10 minute(s), and 42 seconds(s)

Edited by Annie12, 04 May 2012 - 09:52 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 04 May 2012 - 10:04 PM

go ahead and run it with the pen drive connected and then run combofix for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Annie12

Annie12
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 04 May 2012 - 10:09 PM

go ahead and run it with the pen drive connected


gringo



What's a pen drive?????? Sorry, I am not computer literate at all, lol :blink:


Never mind, got it, flash drive. :thumbsup:

Edited by Annie12, 04 May 2012 - 10:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users