Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS - Need help


  • This topic is locked This topic is locked
13 replies to this topic

#1 toolwhiz

toolwhiz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 30 September 2009 - 02:52 PM

I have tried to follow some of the threads here around removal of rootkit.tdss. Malware bytes mbam detects the tdlwsp.dll but I have not been able to locate it. I have windows XP SP2. Maybe a new strain of rootkit. Any help would be appreciated. I have combofix and windows retore already installed.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 djsi

djsi

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 30 September 2009 - 03:50 PM

In your situation you should probably go ahead and reinstall windows xp and sp 3 with all the updates.Your machine is running in the dark ages and you are going to be much more prone to attacks without the latest updates.Just backup your stuff and keep your computer so a reinstall isn't going to be devastating.Just my opinion some one will be right along I'm sure

#3 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 30 September 2009 - 04:14 PM

An OS re-install would be a big task, with the all the software I would have to re-install. If I take backup, the rootkit may return via backups. Is there any other way to get rid of the rootkit ?

Thanks

#4 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 30 September 2009 - 05:32 PM

I do have the combofix.txt file and gmer log, but did not upload it, since the instructions in the forum were to not upload a file, unless instructed to.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 PM

Posted 30 September 2009 - 06:56 PM

Hello please post the GMer log then run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 01 October 2009 - 06:21 PM

Gmer log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-30 11:18:24
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Parents\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF4FF04EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF4FF0581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF4FF0498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF4FF04AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF4FF0595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF4FF05C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF4FF062F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF4FF0619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF4FF052A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF4FF065B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF4FF056D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF4FF0470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF4FF0484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF4FF04FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF4FF0697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF4FF0603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF4FF05ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF4FF05AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF4FF0683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF4FF066F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF4FF04D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF4FF04C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF4FF05D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF4FF0559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF4FF0645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF4FF0540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF4FF0514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804FC679 7 Bytes JMP F4FF0518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 805684D5 5 Bytes JMP F4FF0571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B9A8 7 Bytes JMP F4FF05F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056C608 5 Bytes JMP F4FF04C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8056F063 5 Bytes JMP F4FF0585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056F473 7 Bytes JMP F4FF069B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056F76A 7 Bytes JMP F4FF0633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057164C 5 Bytes JMP F4FF04EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80573789 5 Bytes JMP F4FF0544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573C04 7 Bytes JMP F4FF052E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8057459E 5 Bytes JMP F4FF0474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057494D 7 Bytes JMP F4FF0502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80575527 7 Bytes JMP F4FF05DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 805801FE 7 Bytes JMP F4FF061D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805829DD 5 Bytes JMP F4FF065F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 7 Bytes JMP F4FF04B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058AE1E 5 Bytes JMP F4FF055D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80597430 7 Bytes JMP F4FF05C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80597C0A 5 Bytes JMP F4FF0488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 8059D6BD 7 Bytes JMP F4FF0599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B3543 5 Bytes JMP F4FF049C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C85B 5 Bytes JMP F4FF04DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C3B0 5 Bytes JMP F4FF0673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C689 7 Bytes JMP F4FF0649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CF58 7 Bytes JMP F4FF0607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D39F 7 Bytes JMP F4FF05AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D892 5 Bytes JMP F4FF0687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01130FEF
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01130075
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01130064
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01130047
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01130F94
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01130FB9
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011300AD
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01130F65
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01130F14
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01130F2F
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 011300BE
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01130036
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01130FDE
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01130090
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01130025
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 0113000A
.text C:\WINDOWS\system32\services.exe[608] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 01130F40
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90FBC
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90FCD
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B9003D
.text C:\WINDOWS\system32\services.exe[608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01120040
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0112007D
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01120025
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0112000A
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0112006C
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0112005B
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01120FEF
.text C:\WINDOWS\system32\services.exe[608] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01120FD4
.text C:\WINDOWS\system32\services.exe[608] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\services.exe[608] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\services.exe[608] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\services.exe[608] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00B80042
.text C:\WINDOWS\system32\services.exe[608] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01040F63
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01040F74
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01040058
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01040047
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01040FA5
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 010400A1
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01040084
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 010400E8
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 010400D7
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01040F34
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 0104002C
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01040000
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01040073
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01040FC0
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 0104001B
.text C:\WINDOWS\system32\lsass.exe[620] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 010400BC
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01030FC3
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01030F68
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01030FDE
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01030F83
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01030F9E
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\lsass.exe[620] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01030025
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020FAD
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FC8
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020FD9
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0102000C
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102002E
.text C:\WINDOWS\system32\lsass.exe[620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0102001D
.text C:\WINDOWS\system32\lsass.exe[620] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\lsass.exe[620] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\lsass.exe[620] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\lsass.exe[620] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\lsass.exe[620] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 0101002C
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B8008E
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B80F99
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B80062
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B800BF
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B80F6D
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B800DA
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B80F41
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00B800EB
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00B80FC0
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00B80F7E
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00B80F5C
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B7004A
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60049
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6002E
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FC8
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6001D
.text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00B50025
.text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A8007D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80F88
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80F99
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80062
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80FD1
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A80F3F
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A80F5C
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A800AC
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A80F13
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A800C7
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A80FC0
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A80F6D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A8003D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A80022
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A80F24
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A70065
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A70054
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70FA8
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A70FB9
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60F9A
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60FAB
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FC6
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00A50FC8
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00A50FB7
.text C:\WINDOWS\system32\svchost.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01EC0FEF
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01EC0F9C
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01EC0087
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01EC0076
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01EC0FB9
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01EC0051
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01EC0F81
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01EC00BD
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01EC0F4B
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01EC00E4
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01EC0F30
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01EC0FCA
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01EC000A
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01EC00AC
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01EC0036
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01EC0025
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 01EC0F66
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01EB0FCA
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01EB0F94
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01EB0FDB
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01EB0011
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01EB0047
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01EB0036
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01EB0000
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01EB0FAF
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01EA0FB2
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 01EA003D
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01EA0FDE
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01EA0FEF
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01EA0FCD
.text C:\WINDOWS\System32\svchost.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01EA0018
.text C:\WINDOWS\System32\svchost.exe[932] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 01E90000
.text C:\WINDOWS\System32\svchost.exe[932] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01E9001D
.text C:\WINDOWS\System32\svchost.exe[932] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 01E90FE5
.text C:\WINDOWS\System32\svchost.exe[932] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 01E90FC0
.text C:\WINDOWS\System32\svchost.exe[932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01D80FEF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0070000A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00700FA3
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00700FB4
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0070008E
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0070007D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00700058
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00700F50
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00700F6B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007000CE
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007000BD
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 007000DF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00700FD1
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0070001B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00700F88
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00700047
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 0070002C
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00700F3F
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006A0025
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006A0073
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006A0FDB
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006A0062
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006A0047
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006A0000
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006A0036
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00690089
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00690064
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00690038
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0069000C
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00690053
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0069001D
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00680000
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00680011
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00680FE5
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 0068002C
.text C:\WINDOWS\System32\svchost.exe[1040] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920FA8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0092009D
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0092008C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00920065
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920040
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009200DF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009200CE
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F57
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00920F7C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00920F46
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00920FC3
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00920F97
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 009200F0
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0085001B
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00850F79
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00850FD4
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00850000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00850036
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00850F94
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00850FAF
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00840F97
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840022
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00840FBC
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00840011
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00840FE3
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00830FDB
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00830011
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00830FBE
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00820000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1760] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1760] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0F79
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E0F8A
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E0058
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0047
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E0FC0
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E0089
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E0F4D
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E0F01
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E009A
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 006E0EE6
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 006E0FA5
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 006E0F5E
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 006E002C
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[2024] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 006E0F26
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006D0F8D
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006D0025
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006D004A
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006D0FC3
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0F97
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0022
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC6
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0011
.text C:\WINDOWS\System32\svchost.exe[2024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FE3
.text C:\WINDOWS\System32\svchost.exe[2024] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[2024] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 006B0FDB
.text C:\WINDOWS\System32\svchost.exe[2024] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 006B0011
.text C:\WINDOWS\System32\svchost.exe[2024] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 006B002E
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00270F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00270FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0027007F
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00270FB6
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0027003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002700B5
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 002700A4
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00270F37
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00270F48
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 002700EB
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00270062
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00270011
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00270F79
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00270FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00270022
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 002700C6
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350F8B
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350FA6
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00350FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350016
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00360FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00360025
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00360062
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00360FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00360051
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00380FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 0038000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00380FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00380FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[2296] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F83
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0078
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0040
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F3C
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F57
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00C4
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 001B0F10
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 001B0051
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 001B0014
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 001B0F68
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 001B0025
.text C:\WINDOWS\Explorer.EXE[2572] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 001B00A9
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FBE
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290049
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290038
.text C:\WINDOWS\Explorer.EXE[2572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FD1
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A004E
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A002C
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F91
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A003D
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[2572] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\Explorer.EXE[2572] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[2572] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\Explorer.EXE[2572] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[2572] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 002C003B
.text C:\WINDOWS\Explorer.EXE[2572] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort1\teixthxr\teixthxr\tdlwsp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2296] 0x10000000
Library \\?\globalroot\Device\Ide\IdePort1\teixthxr\teixthxr\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2572] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.aif
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.aifc
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.mov
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.qt
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.ra
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.ram
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.rm
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\.rmm
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\MIME
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\MIME\audio/aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\MIME\audio/x-aiff
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\MIME\audio/x-pn-realaudio
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\EnablePlugin\MIME\video/quicktime
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\InprocServer32@ C:\WINDOWS\System32\msdxm.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\LocalServer32@ "C:\Program Files\Windows Media Player\mplayer2.exe"
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\ProgID@ MediaPlayer.MediaPlayer.1
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\ToolboxBitmap32@ C:\WINDOWS\System32\msdxm.ocx, 1
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\TypeLib@ {22D6F304-B0F6-11D0-94AB-0080C74C7E95}
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{0F28B3F5-58AC-FC87-06B4-7692BEF75C54}\VersionIndependentProgID@ MediaPlayer.MediaPlayer
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\LocalServer32@ C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{4F9C66A3-A135-97A5-40F0-66C5B2A2B3CF}\InprocServer32@ C:\WINDOWS\System32\msdtctm.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{4F9C66A3-A135-97A5-40F0-66C5B2A2B3CF}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

#7 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 02 October 2009 - 11:57 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2878
Windows 5.1.2600 Service Pack 2

10/1/2009 4:35:28 PM
mbam-log-2009-10-01 (16-35-28).txt

Scan type: Quick Scan
Objects scanned: 128786
Time elapsed: 6 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\vxiobvpf\vxiobvpf\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\vxiobvpf\vxiobvpf\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.






However the infection is still there after the reboot.

#8 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 02 October 2009 - 12:06 PM

Some extra info that may help:

Using sysinternals tools, I see that the tdlwsp.dll is loaded only for explorer.exe and iexplorer.exe. Also the procmon tool shows the following:
10:04:32.9050128 AM wmiprvse.exe 3488 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tdlwsp.dll NAME NOT FOUND Desired Access: Read

However when I look in the registry I do not find any matching entry. Nor have I been able to locate the tdlwsp.dll anywhere.

I have been following the topic http://www.bleepingcomputer.com/forums/ind...otkit&st=15 as well, which appears to be totally an identical situation with the same symptom.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 PM

Posted 02 October 2009 - 12:06 PM

It looks like there is a rootkit variant in this log. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 02 October 2009 - 12:08 PM

Well what I wrote about tdlwsp.dll being loaded only for explorer.exe and iexplorer.exe may not be correct. It seems that may have been the only 2 applications I may have had running at that time. I now see it being loaded by notepad as well, since I have that open.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 PM

Posted 02 October 2009 - 12:16 PM

Well that's why I'm thinking it's buried itself and we need to get in deeper. I think it's rebuilding itself.

You can also run DrWeb if you like.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 02 October 2009 - 12:33 PM

win32KDiag is running still. Will post the logs into :

http://www.bleepingcomputer.com/forums/t/261746/rootkit-variant-analysis/

when its done.

Appreciate your help with this.

#13 toolwhiz

toolwhiz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 02 October 2009 - 04:18 PM

Uploaded the win2Kdiag log on http://www.bleepingcomputer.com/forums/ind...p;#entry1446747

Will try the Dr. Web next.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 PM

Posted 03 October 2009 - 07:37 PM

I combined your 2 posts in the HJT forum.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users