Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect please help!


  • This topic is locked This topic is locked
15 replies to this topic

#1 TedMoon

TedMoon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 14 November 2009 - 03:56 PM

Hi there, I apologize in advance if any of this sounds confusing I'm not very tech-savvy.
I'm having issues battling the google redirect trojan on my mom's computer. I have run Malwarebytes (it ran succesfully in normal mode) and removed the detected problems, but the trojan is not gone, google is still redirecting. I have logs from Hijackthis and your dds tool, but the system could not run root repeal because 'there is not enough virtual memory.'
Another problem I'm having is that I cannot access the registry because my computer refuses to boot in safe mode, it comes up with an error message (windows has encountered an unexpected error, yadda yadda) so I haven't been able to run SDfix or combofix. Please help, I have no idea what I'm doing at this point.

Thank you, here are the DDS and Hjt logs:

DDS:
DDS (Ver_09-10-26.01) - NTFSx86
Run by Glenda at 13:54:57.31 on Sat 11/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.73 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Glenda\Desktop\cleanup\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Glenda\Desktop\cleanup\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/calendar/render
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: mypublisher.com\www
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: ddcyy - c:\windows\system32\ddcyy.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-7-24 3744]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-7-24 3904]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-12 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]
S2 mrtRate;mrtRate; [x]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-11 29744]

=============== Created Last 30 ================

2009-11-14 19:20:19 0 d-----w- C:\SDFix
2009-11-14 16:37:41 0 d-----w- c:\docume~1\glenda\applic~1\Malwarebytes
2009-11-14 16:37:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 16:37:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-14 16:37:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:37:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 13:38:53 0 d-sh--w- c:\documents and settings\glenda\PrivacIE
2009-11-12 13:34:48 0 d-sh--w- c:\documents and settings\glenda\IETldCache
2009-11-12 13:28:11 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-12 13:27:34 0 d-----w- c:\windows\ie8updates
2009-11-12 13:26:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-12 13:26:41 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-12 13:21:25 0 dc-h--w- c:\windows\ie8
2009-11-12 13:14:56 0 d-----w- c:\docume~1\glenda\applic~1\Windows Desktop Search
2009-11-12 13:13:56 0 d-----w- c:\program files\Windows Desktop Search
2009-11-12 13:13:55 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-12 13:12:10 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-11-12 13:12:10 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-11-12 13:12:10 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-11-12 13:10:15 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-10 17:26:15 18 ---ha-w- C:\SYSREST
2009-11-10 16:43:07 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 00:28:30 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2009-10-08 20:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-16 15:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-10-10 00:30:00 338372 --sha-w- c:\windows\system32\yycdd.bak1
2005-10-10 00:25:14 339236 --sha-w- c:\windows\system32\yycdd.bak2
2008-12-22 17:10:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081223\index.dat

============= FINISH: 13:58:48.18 ===============


















HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:47 PM, on 11/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Glenda\Desktop\cleanup\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9735 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 22 November 2009 - 05:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 22 November 2009 - 08:19 PM

Hi there! Thanks for responding, I know you guys are swamped, I appreciate any help you can provide!
Seems to be the typical google redirect situation, whenever she searches anything it comes up with unrelated ad-type responses. Mcafee detects but seems to be unable to fix the problem. Here is the new dds log for today:

Thanks,
Chelsea

DDS (Ver_09-10-26.01) - NTFSx86
Run by Glenda at 19:11:47.57 on Sun 11/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.180 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Glenda\Desktop\cleanup\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/calendar/render
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: mypublisher.com\www
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: ddcyy - c:\windows\system32\ddcyy.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-7-24 3744]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-7-24 3904]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-12 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]
S2 mrtRate;mrtRate; [x]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-11 29744]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-11-14 19:20:19 0 d-----w- C:\SDFix
2009-11-14 16:37:41 0 d-----w- c:\docume~1\glenda\applic~1\Malwarebytes
2009-11-14 16:37:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 16:37:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-14 16:37:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:37:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 13:38:53 0 d-sh--w- c:\documents and settings\glenda\PrivacIE
2009-11-12 13:34:48 0 d-sh--w- c:\documents and settings\glenda\IETldCache
2009-11-12 13:28:11 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-12 13:27:34 0 d-----w- c:\windows\ie8updates
2009-11-12 13:26:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-12 13:26:41 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-12 13:21:25 0 dc-h--w- c:\windows\ie8
2009-11-12 13:14:56 0 d-----w- c:\docume~1\glenda\applic~1\Windows Desktop Search
2009-11-12 13:13:56 0 d-----w- c:\program files\Windows Desktop Search
2009-11-12 13:13:55 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-12 13:12:10 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-11-12 13:12:10 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-11-12 13:12:10 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-11-12 13:10:15 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-10 17:26:15 18 ---ha-w- C:\SYSREST
2009-11-10 16:43:07 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-09 00:28:30 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2009-10-08 20:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2005-10-10 00:30:00 338372 --sha-w- c:\windows\system32\yycdd.bak1
2005-10-10 00:25:14 339236 --sha-w- c:\windows\system32\yycdd.bak2
2008-12-22 17:10:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081223\index.dat

============= FINISH: 19:15:21.41 ===============

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 23 November 2009 - 12:39 PM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 23 November 2009 - 07:44 PM

Thanks Blade, I appreciate your help.

~Chelsea

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 24 November 2009 - 07:18 PM

Hello TedMoon

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

~Blade


In your next reply, please include the following:
GMER log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 25 November 2009 - 08:03 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 18:58:51
Windows 5.1.2600 Service Pack 3
Running: t9l53lgx.exe; Driver: C:\DOCUME~1\Glenda\LOCALS~1\Temp\uxldypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF3B178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF3B1738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF3B174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF3B17CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF3B1710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF3B1724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF3B179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF3B1776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF3B1762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF3B17F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF3B17E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF3B17B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EF3B17B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EF3B178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EF3B1766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EF3B1714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EF3B17A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EF3B17E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EF3B17CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EF3B1750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EF3B17FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EF3B1728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EF3B173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EF3B177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF859A7AC]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0084
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0073
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F99
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D004E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00BC
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00AB
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00F2
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D00D7
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F3E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0FD1
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0011
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F7E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D003D
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0022
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F59
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0F84
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F9F
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC1
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FB0
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FC0
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F80
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D003D
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F9B
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D002C
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030062
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01030F6D
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030F8A
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0103003D
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030F9B
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030073
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F37
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030EEB
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030084
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0103009F
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030F48
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FB6
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030FDB
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F10
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020025
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01020051
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004E
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0014
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F57
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F72
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90F83
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F30
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90078
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D9009A
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F01
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900AB
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90067
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90089
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FA4
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB5
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD7
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC6
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\lsass.exe[588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CD003D
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02650F72
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02650F83
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650F94
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650047
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0265002C
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02650F4D
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650095
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026500B0
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02650F17
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650EFC
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650FAF
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650011
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650078
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02650FC0
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02650FD1
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02650F32
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02640051
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02640FD4
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02640036
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0264001B
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02640087
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02640000
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02640FE5
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 8A]
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02640062
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0263004B
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 0263003A
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630FE5
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630000
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02630FCA
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630029
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\svchost.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010600A4
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060089
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060078
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0106005B
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060040
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010600CB
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F83
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010600E6
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F57
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01060F32
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060FAF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060F94
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060025
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F68
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0105004A
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01050039
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01050F97
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [25, 89]
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01050FA8
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0049
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB4
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF002E
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\svchost.exe[816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F7A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F8B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80065
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80054
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80039
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800A7
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8008A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F22
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F33
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800D6
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80FBC
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F5F
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FCD
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B8001E
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F44
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FA8
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B7004A
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FB9
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70F8D
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70025
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6003F
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FB4
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6002E
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50000
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50025
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B50040
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02860FEF
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02860F6F
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02860F80
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02860F9B
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02860058
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02860033
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0286009A
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02860089
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02860F12
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02860F2D
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028600C6
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02860FAC
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02860000
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02860F5E
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02860022
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02860011
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028600AB
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0285003D
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02850FA5
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02850022
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02850011
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02850FB6
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02850000
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02850FD1
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 8A]
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0285004E
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02840FB9
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!system 77C293C7 5 Bytes JMP 02840044
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02840029
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02840FEF
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02840FDE
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0284000C
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02820FEF
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02820FD4
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0282000A
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0282001B
.text C:\WINDOWS\System32\svchost.exe[884] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02830000
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80084
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80073
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F99
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80062
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FC0
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F57
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8009F
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800D2
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800C1
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800ED
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80047
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F74
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80022
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80011
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800B0
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B7002C
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F91
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B7001B
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70FAC
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B7004E
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B7003D
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60078
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60038
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60053
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B40000
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B40011
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B40FDB
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B40FC0
.text C:\WINDOWS\System32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50000
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F74
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0069
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C004E
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C003D
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FA5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C008E
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F3C
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00A9
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F10
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EF5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C002C
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F59
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C001B
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C000A
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F21
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0025
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0047
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0014
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0036
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F94
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0049
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FBE
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C002E
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0000
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E0011
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FDB
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0FC0
.text C:\WINDOWS\Explorer.EXE[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00F72
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00067
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00F8D
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E0004A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E00025
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E0009D
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00F55
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E000D3
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E00F3A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E000E4
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E00FA8
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E0000A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E0008C
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E000AE
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FC0
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0062
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FDB
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0047
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DB0FAF
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FB, 88]
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB002C
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F9A
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0025
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FC6
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FB5
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FD7
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D8001B
.text C:\WINDOWS\System32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F83
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40078
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40051
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F4D
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F68
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F32
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400CB
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400E6
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40040
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40000
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40093
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E4001B
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E400BA
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20000
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20F5E
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F6F
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F8A
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D2001B
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F97
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10022
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10011
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CF001B
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[1568] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F7A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027006F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F8B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0027009B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0027008A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700CE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700BD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002700DF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F5F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FDB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0027002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700AC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0037005C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037004B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370029
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0037003A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B50FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B5000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0027000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F6B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F29
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270071
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270EFD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270096
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EEC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270040
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F50
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F18
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0036006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036005B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037003F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0037002E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003A0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B50FC3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\00001410 -> \Driver\atapi \Device\Harddisk0\DR0 82F6150C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{257B3C58-0874-5233-3F27-59B1C8329C9C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{257B3C58-0874-5233-3F27-59B1C8329C9C}\InprocServer32@ C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 18:58:51
Windows 5.1.2600 Service Pack 3
Running: t9l53lgx.exe; Driver: C:\DOCUME~1\Glenda\LOCALS~1\Temp\uxldypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF3B178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF3B1738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF3B174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF3B17CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF3B1710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF3B1724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF3B179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF3B1776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF3B1762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF3B17F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF3B17E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF3B17B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EF3B17B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EF3B178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EF3B1766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EF3B1714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EF3B17A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EF3B17E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EF3B17CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EF3B1750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EF3B17FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EF3B1728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EF3B173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EF3B177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF859A7AC]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0084
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0073
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F99
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D004E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00BC
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00AB
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00F2
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D00D7
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F3E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0FD1
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0011
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F7E
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D003D
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0022
.text C:\WINDOWS\system32\wuauclt.exe[256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F59
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0F84
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F9F
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC1
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FB0
.text C:\WINDOWS\system32\wuauclt.exe[256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FC0
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F80
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D003D
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F9B
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\system32\wuauclt.exe[256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D002C
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\wuauclt.exe[256] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030062
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01030F6D
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030F8A
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0103003D
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030F9B
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030073
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F37
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030EEB
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030084
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0103009F
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030F48
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FB6
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030FDB
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F10
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020025
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0102000A
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01020051
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF004E
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0014
.text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F57
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F72
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90F83
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F30
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90078
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D9009A
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F01
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900AB
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90067
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90089
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FA4
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB5
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD7
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC6
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\lsass.exe[588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\lsass.exe[588] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CD003D
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02650F72
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02650F83
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650F94
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650047
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0265002C
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02650F4D
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650095
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026500B0
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02650F17
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650EFC
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650FAF
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650011
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650078
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02650FC0
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02650FD1
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02650F32
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02640051
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02640FD4
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02640036
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0264001B
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02640087
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02640000
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02640FE5
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 8A]
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02640062
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0263004B
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 0263003A
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630FE5
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630000
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02630FCA
.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630029
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\svchost.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010600A4
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060089
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060078
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0106005B
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060040
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010600CB
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F83
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010600E6
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F57
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01060F32
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060FAF
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01060FD4
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060F94
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060025
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F68
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0105004A
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01050039
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01050F97
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [25, 89]
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01050FA8
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0049
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FB4
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF002E
.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\svchost.exe[816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F7A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F8B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80065
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80054
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80039
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800A7
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8008A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F22
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F33
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800D6
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80FBC
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F5F
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FCD
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B8001E
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F44
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FA8
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B7004A
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FB9
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70F8D
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70025
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6003F
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FB4
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6002E
.text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50000
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50025
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B50040
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02860FEF
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02860F6F
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02860F80
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02860F9B
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02860058
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02860033
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0286009A
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02860089
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02860F12
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02860F2D
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028600C6
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02860FAC
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02860000
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02860F5E
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02860022
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02860011
.text C:\WINDOWS\System32\svchost.exe[884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028600AB
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0285003D
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02850FA5
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02850022
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02850011
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02850FB6
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02850000
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02850FD1
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 8A]
.text C:\WINDOWS\System32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0285004E
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02840FB9
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!system 77C293C7 5 Bytes JMP 02840044
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02840029
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02840FEF
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02840FDE
.text C:\WINDOWS\System32\svchost.exe[884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0284000C
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02820FEF
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02820FD4
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0282000A
.text C:\WINDOWS\System32\svchost.exe[884] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0282001B
.text C:\WINDOWS\System32\svchost.exe[884] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02830000
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80084
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80073
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F99
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80062
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FC0
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F57
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8009F
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800D2
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800C1
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800ED
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80047
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F74
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80022
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80011
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800B0
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B7002C
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F91
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B7001B
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70FAC
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B7004E
.text C:\WINDOWS\System32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B7003D
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60078
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60038
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60053
.text C:\WINDOWS\System32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B40000
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B40011
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B40FDB
.text C:\WINDOWS\System32\svchost.exe[944] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B40FC0
.text C:\WINDOWS\System32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B50000
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F74
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0069
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C004E
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C003D
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FA5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C008E
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F3C
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00A9
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F10
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EF5
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C002C
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F59
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C001B
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C000A
.text C:\WINDOWS\Explorer.EXE[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F21
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0025
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0047
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0014
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0036
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F94
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\Explorer.EXE[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0049
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FBE
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C002E
.text C:\WINDOWS\Explorer.EXE[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0000
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E0011
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0FDB
.text C:\WINDOWS\Explorer.EXE[984] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0FC0
.text C:\WINDOWS\Explorer.EXE[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00F72
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00067
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00F8D
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E0004A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E00025
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E0009D
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00F55
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E000D3
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E00F3A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E000E4
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E00FA8
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E0000A
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E0008C
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E000AE
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DB0FC0
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DB0062
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DB0FDB
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DB0011
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DB0047
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DB0FAF
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FB, 88]
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DB002C
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0F9A
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0025
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FC6
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FB5
.text C:\WINDOWS\System32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FD7
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D8001B
.text C:\WINDOWS\System32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F83
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40078
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40051
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F4D
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F68
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40F32
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400CB
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400E6
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40040
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40000
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40093
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E4001B
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E400BA
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20000
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20F5E
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F6F
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F8A
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D2001B
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10F97
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10022
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10011
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CF001B
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[1568] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F7A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027006F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F8B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0027009B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0027008A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700CE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700BD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002700DF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F5F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FDB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0027002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700AC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0037005C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037004B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370029
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0037003A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B50FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B5000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0027000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F6B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F29
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270071
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270EFD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270096
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EEC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270040
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F50
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F18
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0036001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0036006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036005B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037003F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0037002E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003A0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B50FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B50FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3216] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B50FC3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\00001410 -> \Driver\atapi \Device\Harddisk0\DR0 82F6150C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{257B3C58-0874-5233-3F27-59B1C8329C9C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{257B3C58-0874-5233-3F27-59B1C8329C9C}\InprocServer32@ C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 27 November 2009 - 04:23 AM

Hello TedMoon.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on renamed.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#9 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 27 November 2009 - 07:28 PM

Heres the combofix log, it rebooted twice

Happy Thanksgiving

ComboFix 09-11-27.04 - Glenda 11/27/2009 17:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.220 [GMT -6:00]
Running from: c:\documents and settings\Glenda\Desktop\cleanup\renamed.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\recycler\NPROTECT\00075157.
c:\recycler\NPROTECT\00075171.
c:\windows\system32\ps2.bat
c:\windows\system32\yycdd.bak1
c:\windows\system32\yycdd.bak2
c:\windows\system32\yycdd.ini
c:\windows\viassary-hp.reg
D:\Autorun.inf

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-27 23:28 . 2009-11-27 23:28 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2009-11-14 19:20 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2009-11-14 19:19 . 2009-11-14 19:19 -------- d-----w- c:\documents and settings\Glenda\Application Data\Lavasoft
2009-11-14 16:37 . 2009-11-14 16:37 -------- d-----w- c:\documents and settings\Glenda\Application Data\Malwarebytes
2009-11-14 16:37 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-14 16:37 . 2009-11-14 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 16:37 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:37 . 2009-11-14 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 13:39 . 2009-11-12 13:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-12 13:38 . 2009-11-12 13:38 -------- d-sh--w- c:\documents and settings\Glenda\PrivacIE
2009-11-12 13:38 . 2009-11-12 13:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-12 13:34 . 2009-11-12 13:34 -------- d-sh--w- c:\documents and settings\Glenda\IETldCache
2009-11-12 13:28 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-12 13:27 . 2009-11-15 03:10 -------- d-----w- c:\windows\ie8updates
2009-11-12 13:26 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-12 13:26 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-12 13:21 . 2009-11-12 13:26 -------- dc-h--w- c:\windows\ie8
2009-11-12 13:18 . 2009-11-12 13:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-11-12 13:14 . 2009-11-12 13:14 -------- d-----w- c:\documents and settings\Glenda\Application Data\Windows Desktop Search
2009-11-12 13:13 . 2009-11-15 03:12 -------- d-----w- c:\program files\Windows Desktop Search
2009-11-12 13:13 . 2009-11-12 13:13 -------- d-----w- c:\windows\system32\GroupPolicy
2009-11-12 13:12 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-11-12 13:12 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-11-12 13:12 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-11-12 13:10 . 2009-11-12 13:10 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-12 13:06 . 2009-11-12 13:08 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-12 05:33 . 2009-11-14 16:34 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-10 16:43 . 2009-11-10 16:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-09 23:31 . 2009-11-10 16:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-09 00:28 . 2009-11-09 00:28 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 23:28 . 2004-09-02 19:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-27 23:16 . 2006-12-22 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 19:47 . 2007-02-10 20:14 -------- d-----w- c:\program files\Picasa2
2009-11-11 01:51 . 2009-07-13 02:56 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-10 15:42 . 2004-09-13 03:05 -------- d-----w- c:\program files\Google
2009-11-09 18:22 . 2006-12-11 20:14 51336 ----a-w- c:\documents and settings\Glenda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 13:45 . 2009-07-12 21:34 -------- d-----w- c:\program files\McAfee
2009-10-23 22:06 . 2009-07-12 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-18 14:47 . 2009-10-18 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-08 20:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57 . 2004-06-04 23:50 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56 . 2004-06-04 23:50 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-16 15:22 . 2009-07-12 21:36 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-12 21:36 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-12 21:36 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-05-14 04:25 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-12 21:33 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-06-05 00:27 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-05-13 00:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2007-11-05 01:46 . 2006-12-11 22:45 131584 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-12 185872]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-5-12 36864]
IMStart.lnk - c:\program files\InterMute\IMStart.exe [2004-5-12 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe"= c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [7/24/2006 5:58 PM 3744]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [7/24/2006 5:58 PM 3904]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/12/2009 3:39 PM 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/15/2007 5:53 PM 24652]
S2 mrtRate;mrtRate; [x]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2006 4:44 PM 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-22 03:24]

2009-07-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-12 17:22]

2009-07-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-12 17:22]

2009-11-27 c:\windows\Tasks\User_Feed_Synchronization-{0C9D79A7-3EB6-4383-9D40-09E202BCD782}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/calendar/render
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: mypublisher.com\www
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-ddcyy - c:\windows\system32\ddcyy.dll
AddRemove-KBD - c:\hp\KBD\KBD.EXE uninstalled
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Windows Live Toolbar - c:\program files\Windows Live Toolbar\UnInstall.exe {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 18:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2384)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\CDAC11BA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 18:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 00:13

Pre-Run: 41,321,525,248 bytes free
Post-Run: 41,496,207,360 bytes free

- - End Of File - - 5134805AAE653EB2A6C78256F77C5469

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 28 November 2009 - 11:10 PM

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply .
~Blade


In your next reply, please include the following:
Kaspersky Online Scan log
How is your computer running now?

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#11 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 29 November 2009 - 09:53 PM

EDIT: I just realized I didnt check 'my computer' so it ran under 'critical areas', Im sorry Ill have the new one up as soon as it finishes

Sorry for the delay, the kaspersky check came up clean

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 29, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 29, 2009 21:19:07
Records in database: 3309527
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Critical areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Glenda\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Objects scanned: 70785
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:00:10

No threats found. Scanned area is clean.

Selected area has been scanned.

Edited by TedMoon, 29 November 2009 - 09:56 PM.


#12 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 30 November 2009 - 09:53 AM

corrected scan:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 29, 2009 21:19:07
Records in database: 3309527
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 108741
Threats found: 2
Infected objects found: 1
Suspicious objects found: 1
Scan duration: 03:59:14


File name / Threat / Threats count
C:\Documents and Settings\Glenda\Local Settings\Application Data\Identities\{4B59B91B-3D6B-457F-B658-B439F397A5CC}\Microsoft\Outlook Express\Paypal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 30 November 2009 - 02:13 PM

Hello TedMoon.

I'm afraid I have some troubling news.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:We can still continue to clean this machine but I can't guarantee that it will be 100% secure afterwards. Please let me know whether you wish to stop and undergo a reformat, or if you prefer to continue cleaning the machine.

***************************************************

Additionally, the Kaspersky scan came back with a troubling detection.

C:\Documents and Settings\Glenda\Local Settings\Application Data\Identities\{4B59B91B-3D6B-457F-B658-B439F397A5CC}\Microsoft\Outlook Express\Paypal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen


This indicates an infected email associated with Paypal. The trojan detected here is designed to trick you into providing your personal information. Read Here for more information on this trojan. With the above evidence the possibility of identity theft is much more likely. As I mentioned above, I would strongly urge you to contact Paypal, your bank, credit card providers, and any other financial institutions, and put them on possible fraud alert. Additionally, it is critical that you immediately change your Paypal and other passwords using a clean computer, NOT this one! It is important to act quickly to minimize the potential damage that could occur if your identity has been stolen.

Let me know how you wish to proceed.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#14 TedMoon

TedMoon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:49 PM

Posted 01 December 2009 - 09:18 PM

Hi Blade,

Thanks for all your help, I talked it over with her and she decided to get a new computer for herself, so I suppose I'll just reformat this one, seems to be the best solution!
I do have one question if you don't mind- my dad works from home and all the computers are hooked to a network, should he be worried about his computers? I don't know how that sort of thing works so I didnt know what to tell him.

Thanks again!

Chelsea

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:49 PM

Posted 03 December 2009 - 03:11 PM

Hello TedMoon

In this situation I would say that's probably a wise decision. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action to take.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best procedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of information on this are
Reformatting Windows XP
Reinstall Windows Vista
Michael Stevens Tech

***************************************************

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

***************************************************

I do have one question if you don't mind- my dad works from home and all the computers are hooked to a network

As long as you don't have file sharing enabled between the computers you should be fine. It wouldn't be a bad idea to run a full antivirus scan on all machines in the network to double check though.

Let me know if you have any further questions.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users