Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ADS


  • Please log in to reply
20 replies to this topic

#1 angieInVA

angieInVA

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 16 April 2010 - 09:50 AM

Yes I'm back again and I'm not sure where I should be posting this but I thought I would start here. I want to first off thank you all for your previous help.

I ran Malwarebytes a couple times yesterday and there seems to be one file it can't delete, it keeps showing up and that the Rootkit.ADS. Attached is the log file after running a full scan.


Scan type: Full scan (C:\|)
Objects scanned: 267045
Time elapsed: 1 hour(s), 37 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS:window (Rootkit.ADS) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 16 April 2010 - 11:36 AM

Hi, did you update MBAM before running?




Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now a GMER scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 17 April 2010 - 11:00 PM

Yes I did update MBAM before I ran it. thanks again for your help, here are the logs....

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 02:06 PM

Application Version : 4.35.1002

Core Rules Database Version : 4814
Trace Rules Database Version: 2626

Scan type : Complete Scan
Total Scan Time : 00:57:36

Memory items scanned : 487
Memory threats detected : 0
Registry items scanned : 6208
Registry threats detected : 0
File items scanned : 70739
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Steve\Cookies\steve@ad.yieldmanager[1].txt
C:\Documents and Settings\Steve\Cookies\steve@content.yieldmanager[1].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP638\A0133564.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP658\A0138077.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149629.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149630.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149631.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149632.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149633.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP717\A0149634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP718\A0151661.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DE8459D5-7BCF-49D0-B51D-3A73E16B0E0E}\RP720\A0153673.EXE



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 22:03:51
Windows 5.1.2600 Service Pack 3
Running: myx9ot85.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\fwldypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAF48A320]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAF3A378A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAF3A3821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAF3A3738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAF3A374C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAF3A3835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAF3A3861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAF3A38CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAF3A38B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAF3A37CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAF3A38FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAF3A380D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAF3A3710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAF3A3724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAF3A379E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAF3A3937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAF3A38A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAF3A388D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAF3A384B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAF3A3923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAF3A390F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAF3A3776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAF3A3762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAF3A3877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAF3A37F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAF3A38E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAF3A37E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAF3A37B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP AF3A37B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP AF3A3811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP AF3A3891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP AF3A378E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP AF3A3766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80572E9D 5 Bytes JMP AF3A3825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP AF3A393B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP AF3A38D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP AF3A3714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP AF3A37A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP AF3A37E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP AF3A37CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80579A43 7 Bytes JMP AF3A387B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP AF3A3750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP AF3A37FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP AF3A3728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP AF3A38FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP AF3A38BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP AF3A3865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP AF3A3839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP AF3A373C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP AF3A377A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP AF3A38E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP AF3A38A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP AF3A384F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP AF3A3913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP AF3A3927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8DA1340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x234A20, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070071
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700B3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F2E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F3F
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700E2
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007008C
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F79
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F8A
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050042
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FAD
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F80
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F0007F
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00064
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F54
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00090
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F00F28
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F43
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00F0D
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F65
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000C1
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FC3
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0F97
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF001E
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0054
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0039
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0FA8
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0058
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0033
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\lsass.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F5006C
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F5005B
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50040
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50F97
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F500A9
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50098
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500DF
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F46
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F2B
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50014
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50087
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F500C4
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F4008E
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40073
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F40058
.text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FDB
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FC6
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30047
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30FE3
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F3002C
.text C:\WINDOWS\system32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F66
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0F77
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F88
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0FAF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F2E
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0076
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD0EF8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD009B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD0EE7
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0051
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0F55
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0040
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD001B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD0F1D
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC005B
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0F94
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EC, 88]
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0040
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB004C
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB003B
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB000C
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FC1
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0FD2
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0000
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03150000
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0315004A
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03150F55
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0315002F
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03150F72
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03150FA8
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03150093
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03150078
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031500B8
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03150F1F
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031500C9
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03150F8D
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03150FE5
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0315005B
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03150FC3
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03150FD4
.text C:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03150F30
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03140FD4
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03140F94
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03140FEF
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03140025
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03140051
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0314000A
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03140FB9
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [34, 8B] {XOR AL, 0x8b}
.text C:\WINDOWS\System32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03140040
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03130F86
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 03130FAB
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03130FC6
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03130FEF
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03130011
.text C:\WINDOWS\System32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03130000
.text C:\WINDOWS\System32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03120FE5
.text C:\WINDOWS\System32\svchost.exe[1048] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03110FEF
.text C:\WINDOWS\System32\svchost.exe[1048] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03110FD4
.text C:\WINDOWS\System32\svchost.exe[1048] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03110FC3
.text C:\WINDOWS\System32\svchost.exe[1048] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03110FB2
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0FA3
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C008E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C007D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0FC0
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C0051
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C00C6
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C00A9
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00E1
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0F48
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F2D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0062
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F88
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0036
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F63
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0025
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0051
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0F9E
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FAF
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B0036
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0042
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0027
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0FC1
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0016
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FD2
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0089
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0078
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00D2
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00C1
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0119
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0108
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F6F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD005B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00ED
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F8A
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FCD
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01860000
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01860F7E
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01860073
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01860062
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01860047
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01860FC0
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01860F6D
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 018600B5
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018600E1
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018600D0
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01860F23
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01860FA5
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0186001B
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0186008E
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0186002C
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01860FDB
.text C:\WINDOWS\Explorer.EXE[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01860F52
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0185002C
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01850F9E
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01850FDB
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01850011
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01850FAF
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01850000
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01850047
.text C:\WINDOWS\Explorer.EXE[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01850FC0
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0066
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF0055
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0029
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF003A
.text C:\WINDOWS\Explorer.EXE[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF000C
.text C:\WINDOWS\Explorer.EXE[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C40000
.text C:\WINDOWS\Explorer.EXE[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C40011
.text C:\WINDOWS\Explorer.EXE[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\Explorer.EXE[1672] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C4002C
.text C:\WINDOWS\Explorer.EXE[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F76
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8006B
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F91
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8004E
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800AD
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80090
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F1E
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F2F
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800D2
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80FAC
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F65
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F4A
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70040
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6004E
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60033
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F70
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0065
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F8B
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F3A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0080
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F04
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F1F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EF3
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F55
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA009D
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F97
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930040
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FAB
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A800B3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80098
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A8006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A800F3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80FAD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A80F6B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F35
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A800CE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F90
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A70FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70043
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A70FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A70F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C7, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60049
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A6000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60038
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2452] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00A50000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 002C0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002C0058
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002C0047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 002C0F6D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 002C0036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 002C0FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002C0F32
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002C0084
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002C0EF5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002C0F06
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002C009F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 002C0F94
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 002C000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002C0069
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 002C0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 002C001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002C0F17
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003B003D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003B008E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003B002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003B0011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003B0073
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003B0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 003B0058
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003B0FD1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003C0FAD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!system 77C293C7 5 Bytes JMP 003C0FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003C002E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003C0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003C0FCF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003C0011
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0097
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0086
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0069
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0058
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB6
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F60
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B2
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DE
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F4F
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F2A
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F91
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00CD
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029005B
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0047
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0036
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FBC
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E001B
.text C:\WINDOWS\System32\svchost.exe[3832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

ADS C:\WINDOWS:window.exe 122880 bytes executable

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 18 April 2010 - 12:05 PM

Hi, Ok I ask because the log was cut off where it shows the Operating system and version of MAM. I wanted to be sure we ran the latest one. This looks good. How is it running now?

Let's do one last online scan.

ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 18 April 2010 - 10:34 PM

sorry I guess I didn't copy and paste the entire MBM log on my first post. it's running ok, it seems a little touchy. I know that doesn't tell you alot but it quick to close or open new browser windows when I'm reading and/or dragging my mouse over text on a page, (I'm taking about when using IE). sorry that's the best way I can explain it.

here is the log from the last online scan.....

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f813081687c614490860b18f20bef6f
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-12 07:22:23
# local_time=2010-02-12 02:22:23 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 12136177 12136177 0 0
# compatibility_mode=5121 16776533 100 96 6438247 18002191 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=197650
# found=3
# cleaned=3
# scan_time=9081
C:\my vid profile.mpg.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\my vid_profile.mpg.exe a variant of Win32/Injector.AMC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\61\18364cfd-11c66aed multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f813081687c614490860b18f20bef6f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-22 10:49:06
# local_time=2010-02-22 05:49:06 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 13012639 13012639 0 0
# compatibility_mode=5121 16776533 100 96 341729 18878653 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=228781
# found=0
# cleaned=0
# scan_time=9020
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f813081687c614490860b18f20bef6f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-18 08:53:16
# local_time=2010-04-18 04:53:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 17756926 17756926 0 0
# compatibility_mode=5121 16776533 100 96 593824 23622940 0 0
# compatibility_mode=8192 67108863 100 0 4703582 4703582 0 0
# scanned=242307
# found=1
# cleaned=1
# scan_time=9785
C:\WINDOWS\pss\mc_vid_of me.mpg.exeStartup Win32/Bifrose.NEL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


thank you again!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 18 April 2010 - 10:54 PM

Hi, are you saying that the browser (IE) just opens or closes on you while just reading and /or highlighting text?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 April 2010 - 12:39 AM

yes thats a good way to explain it. it's not so much close and it opens another window/browser and switches pages/url's on the current window/browser.

How does the scan look?

thanks

Angie

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 19 April 2010 - 10:19 AM

Ok, looking good as far as the malware tho. Are you using IE 6,7,or 8 ?

Do you have an XP CD?

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 April 2010 - 10:55 AM

Great, I'm using IE 8,

the only disks I have are what came with this Dell

Should I use today as a restore date/point?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 19 April 2010 - 11:08 AM

We can't as we only have the one we just made and that is after the issue.

Prety sure that disk will work. i wanted to run SFC and see if any files needed repair.

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 April 2010 - 01:50 PM

sorry, should I run "Cleanmgr" before I run "sfc /scannow" or does it make a difference? I was waiting to hear about "Restore"

Angie

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 19 April 2010 - 03:17 PM

Did you already do the restore Point? If not we can go back and see if the browser issue goes away . Then we re-clean the machine.

If SO, then yes you can do the CleanMgr.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 April 2010 - 05:30 PM

everything is done in this order,

created Restore Point
cleanmgr
sfc /scannow

I walked away from sfc /scannow and came back to only have the
Windoes Task Manager up on my screen with nothing running. It
did ask for my Win XP CD after it started.

Angie

Edited by angieInVA, 19 April 2010 - 05:31 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 AM

Posted 19 April 2010 - 08:34 PM

So i am not sure if you are saying it's OK after you put in the disk or you are hung up at Task Manager/??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 angieInVA

angieInVA
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 April 2010 - 10:43 PM

it was running when I walked away.......with 2 windows/boxes one for Windows Task Manager and one Windows File Protection. When I came back to the computer all that was on my screen was Windows Task Manager window/box with it showing nothing running. what is suppose to happen when sfc /scannow is finished?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users