Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another Google Re-direct issue


  • This topic is locked This topic is locked
13 replies to this topic

#1 GEA@Eaton

GEA@Eaton

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 07 May 2010 - 11:12 AM

Greetings, have acquired a Goggle re-direct problem in the last few days - somewhat sporadic but persistant, running Windows Vista, and McAfee 5.0, patch 5. Any suggestions appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 07 May 2010 - 11:27 AM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 07 May 2010 - 01:03 PM

OK - will do, I have run Defogger and DSS - should also do the GMER or just proceed as instructed?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 07 May 2010 - 01:11 PM

You can run GMER also. Post the SAS and GMER logs
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 07 May 2010 - 02:38 PM

OK - here is my MBAM Log and SAS logs (I was blocked from downloading ATF by sonicwall)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

5/7/2010 2:15:37 PM
mbam-log-2010-05-07 (14-15-37).txt

Scan type: Quick scan
Objects scanned: 143290
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Windows\Temp\7952.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\BCED.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Windows\temp\C313.tmp (Rootkit.Dropper) -> Delete on reboot.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Windows\System32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.


SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2010 at 03:05 PM

Application Version : 4.37.1000

Core Rules Database Version : 4900
Trace Rules Database Version: 2712

Scan type : Complete Scan
Total Scan Time : 00:22:15

Memory items scanned : 326
Memory threats detected : 0
Registry items scanned : 7713
Registry threats detected : 0
File items scanned : 32637
File threats detected : 86

Adware.Tracking Cookie
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@invitemedia[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@accounts.key[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@keybank.112.2o7[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@collective-media[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@oasn04.247realmedia[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@apmebf[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@click.tigeronline[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@pointroll[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@247realmedia[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@fastclick[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@doubleclick[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@imrworldwide[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@ads.pointroll[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@ad.yieldmanager[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@ads.bleepingcomputer[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@casalemedia[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@bizzclick[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@atdmt[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@questionmarket[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@tribalfusion[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@admarketplace[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@bridge2.admarketplace[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\gary@mediaplex[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary@adrevolver[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary@atdmt[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary@fastclick[2].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary@media.adrevolver[1].txt
C:\Users\gary\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary@tribalfusion[1].txt
C:\Users\Gary Allen\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary_allen@doubleclick[1].txt
C:\Users\Gary Allen\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary_allen@atdmt[1].txt
C:\Users\Gary Allen\AppData\Roaming\Microsoft\Windows\Cookies\Low\gary_allen@msnportal.112.2o7[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pointroll[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@xml.trafficengine[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@kontera[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.bighealthtree[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dr.findlinks[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@statcounter[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@interclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@beacon.dmsinsights[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@burstnet[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@burstnet[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficengine[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserver.adtechus[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bs.serving-sys[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaforge[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@a1.interclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstnet[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@at.atwola[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.burstnet[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaforgews[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cdn1.trafficmp[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cdn1.trafficmp[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@network.realmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@theclickcheck[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt

#6 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 07 May 2010 - 03:19 PM

Still got the same issues - google re-directs, IE spontaneous launches, etc.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 07 May 2010 - 03:59 PM

Ok yes we have a serious infection here. I would llike to do another scan to see how we should proceed. i suspect a Virut infection and that would be incureable. First here's something to consider with what we have found.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

ESET scan
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 10 May 2010 - 01:03 PM

OK - not the news I wanted to hear. The folowing is the log file from the ESET Scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=994284f17379d5409e9bfe32db5efe18
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-10 05:57:47
# local_time=2010-05-10 01:57:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=5892 16776574 100 100 1766460 110115334 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=133401
# found=4
# cleaned=4
# scan_time=6435
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\rasacd.sys.vir Win32/Olmarik.ZC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\rasacd.sys.vir_ Win32/Olmarik.ZC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\temp\FC24.tmp a variant of Win32/Kryptik.DYO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\winsxs\x86_microsoft-windows-rasautodial_31bf3856ad364e35_6.0.6001.18000_none_0fd9feb665531f63\rasacd.sys Win32/Olmarik.ZC trojan (deleted - quarantined) 00000000000000000000000000000000 C

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 10 May 2010 - 01:58 PM

Hi, did you run ComboFix before the SAS scan,

run Gmer now.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 10 May 2010 - 06:13 PM

Yes - I did run Combofix a few days back prior to logging into the forum - to no avail. Here are 2 sets of GMER logs - first set is with windows running reg mode - gmer scan would hang at a certain point and then crash but I was able to stop the scan at that point on the 2nd or 3rd attempt and copy the log up to that point. The second set of logs is with windows in safe mode - gmer was able to complete the scan after 2 tries.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-10 18:52:11
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F01B79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F01B738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F01B74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F01B7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F01B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F01B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F01B7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F01B78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F01B776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F01B80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F01B7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F01B7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F01B762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8542BEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 18:59:27
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F41E79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F41E738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F41E74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F41E7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F41E710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F41E724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F41E7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F41E78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F41E776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F41E80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F41E7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F41E7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F41E762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 81C5B1F0 5 Bytes JMP 8F41E7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81DFDF40 5 Bytes JMP 8F41E766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 81E180F6 5 Bytes JMP 8F41E80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 81E37380 5 Bytes JMP 8F41E728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 81E46D0B 5 Bytes JMP 8F41E714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 81E5996C 7 Bytes JMP 8F41E7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 81E59FC3 5 Bytes JMP 8F41E7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 81E5C1D4 5 Bytes JMP 8F41E7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 81E69892 5 Bytes JMP 8F41E77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 81E6BAEC 7 Bytes JMP 8F41E7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 81EC97B7 5 Bytes JMP 8F41E73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EC9802 7 Bytes JMP 8F41E750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 81ECA2BF 5 Bytes JMP 8F41E78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\pci.sys entry point in ".rsrc" section [0x8070B014]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EA01340, 0x3CFE17, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00740F48
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00740098
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 007400D5
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 007400C4
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 0074007D
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00740FCA
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 0074006C
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 0074005B
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00740F92
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00740FAF
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00740036
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00740F6D
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00740F23
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00740000
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00740FE5
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 0074001B
.text C:\Windows\system32\svchost.exe[444] kernel32.dll!WinExec 769154FF 5 Bytes JMP 007400A9
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 006E0FD4
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!system 76828B63 5 Bytes JMP 006E0055
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 006E0029
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 006E000C
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 006E003A
.text C:\Windows\system32\svchost.exe[444] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 006E0FEF
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020058
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0002002C
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020047
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020073
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00020FE5
.text C:\Windows\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0002001B
.text C:\Windows\system32\svchost.exe[444] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00750FEF
.text C:\Windows\system32\svchost.exe[444] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 0075001B
.text C:\Windows\system32\svchost.exe[444] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0075000A
.text C:\Windows\system32\svchost.exe[444] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00750FCA
.text C:\Windows\system32\svchost.exe[444] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00B60F57
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00B60F72
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00B600C2
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00B60F2B
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00B60093
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00B60FB9
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00B60076
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00B60040
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00B60F9E
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00B6005B
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00B6002F
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00B60F8D
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00B600D3
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00B6000A
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00B60FEF
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00B60FD4
.text C:\Windows\system32\svchost.exe[568] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00B60F46
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00B10027
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!system 76828B63 5 Bytes JMP 00B10016
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00B10FC1
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00B10FEF
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00B10FA6
.text C:\Windows\system32\svchost.exe[568] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00B10FD2
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00AE0FAF
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00AE0FCA
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00AE0000
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00AE0051
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00AE0F9E
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00AE0FE5
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00AE001B
.text C:\Windows\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00AE0036
.text C:\Windows\system32\svchost.exe[568] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00B70000
.text C:\Windows\system32\svchost.exe[568] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00B70022
.text C:\Windows\system32\svchost.exe[568] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00B70011
.text C:\Windows\system32\svchost.exe[568] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00B7003D
.text C:\Windows\system32\svchost.exe[568] Ws2_32.dll!socket 77D236D1 5 Bytes JMP 00B80FEF
.text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 008A0F4F
.text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 008A0F6A
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008A0F34
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 008A00C1
.text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 008A0084
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 008A0FD4
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 008A0073
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 008A0051
.text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 008A0095
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 008A0062
.text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 008A0036
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 008A0F85
.text C:\Windows\system32\services.exe[668] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 008A00E6
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 008A000A
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 008A0025
.text C:\Windows\system32\services.exe[668] kernel32.dll!WinExec 769154FF 5 Bytes JMP 008A00B0
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 0084006F
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0084004A
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00840FEF
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00840FC3
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00840FB2
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00840014
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00840FDE
.text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0084002F
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00890047
.text C:\Windows\system32\services.exe[668] msvcrt.dll!system 76828B63 5 Bytes JMP 00890036
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00890FC6
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00890000
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 0089001B
.text C:\Windows\system32\services.exe[668] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00890FD7
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A00000
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A00FD4
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\services.exe[668] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A00FB9
.text C:\Windows\system32\services.exe[668] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00A10FE5
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 0017008A
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00170F4E
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001700C7
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001700B6
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00170F7A
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 0017002F
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 0017005E
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00170FB2
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 0017006F
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00170FA1
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00170FC3
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00170F5F
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00170F15
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 0017000A
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00170FEF
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00170FDE
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 769154FF 5 Bytes JMP 0017009B
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00150073
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00150FD1
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 0015000A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00150062
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 0015008E
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 0015002C
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0015001B
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0015003D
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00160042
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 76828B63 5 Bytes JMP 00160FAD
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00160FC8
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00160FEF
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 0016001D
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 0016000C
.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00C90FEF
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00C80FE5
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00C80000
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00C80FD4
.text C:\Windows\system32\lsass.exe[692] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00C8001B
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00CE007D
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00CE006C
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00CE00BD
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00CE00A2
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00CE0040
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00CE0FB9
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00CE0F66
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00CE0025
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00CE0F4B
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00CE0F83
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00CE0FA8
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00CE005B
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00CE00CE
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00CE0FD4
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00CE0FE5
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00CE000A
.text C:\Windows\system32\svchost.exe[848] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00CE0F26
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00CD0055
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!system 76828B63 5 Bytes JMP 00CD0044
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00CD0FD4
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00CD0033
.text C:\Windows\system32\svchost.exe[848] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00CD0018
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00CC0F7C
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00CC0014
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00CC0FEF
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00CC0F8D
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00CC0F61
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00CC0FB9
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00CC0FCA
.text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00CC0FA8
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00D80FEF
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00D8000A
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00D80FD4
.text C:\Windows\system32\svchost.exe[848] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00D80FB9
.text C:\Windows\system32\svchost.exe[848] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00D20F5D
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00D20099
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00D20F31
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00D20F4C
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00D20F7F
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00D20FBC
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00D2004D
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00D20032
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00D20074
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00D20F90
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00D20FAB
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00D20F6E
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00D200E3
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00D20FDE
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00D20FEF
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00D20FCD
.text C:\Windows\system32\svchost.exe[956] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00D200BE
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00D10F97
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!system 76828B63 5 Bytes JMP 00D10FB2
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00D10FDE
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00D10000
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00D10FC3
.text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00D10FEF
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00CC0062
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00CC0FCA
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00CC0FEF
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00CC0051
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00CC0FA5
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00CC0025
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00CC000A
.text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00CC0036
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00D3000A
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00D3002C
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00D3001B
.text C:\Windows\system32\svchost.exe[956] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00D30051
.text C:\Windows\system32\svchost.exe[956] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00D80000
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 008E0F17
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 008E0F28
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008E00A4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 008E0093
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 008E0F5E
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 008E0025
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 008E0F79
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 008E0036
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 008E005D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 008E0F8A
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 008E0FAF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 008E0F4D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 008E00BF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 008E0FE5
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 008E0000
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 008E0FD4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!WinExec 769154FF 5 Bytes JMP 008E0078
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 008D0FA6
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!system 76828B63 5 Bytes JMP 008D0027
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 008D000C
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 008D0FE3
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 008D0FB7
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 008D0FD2
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00860F6B
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00860F8D
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00860FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00860F7C
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 0086001E
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00860FC3
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00860FDE
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00860FA8
.text C:\Windows\System32\svchost.exe[1056] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 009F000A
.text C:\Windows\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 009F002F
.text C:\Windows\System32\svchost.exe[1056] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 009F0FEF
.text C:\Windows\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 009F0FDE
.text C:\Windows\System32\svchost.exe[1056] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00C00000
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00C30F4D
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00C30F5E
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00C30F1E
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00C300B5
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00C30FA5
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00C30036
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00C30FB6
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00C30062
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00C30F8A
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00C30073
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00C30051
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00C30F6F
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00C30F0D
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00C30011
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00C30000
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00C30FE5
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00C300A4
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00AD005F
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!system 76828B63 5 Bytes JMP 00AD004E
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00AD0FDE
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00AD0000
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00AD0029
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00AD0FEF
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00A80058
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00A80036
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00A80FEF
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00A80047
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00A80FA5
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00A8000A
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00A80FDE
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00A80025
.text C:\Windows\System32\svchost.exe[1124] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00C90FE5
.text C:\Windows\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00C90FC0
.text C:\Windows\System32\svchost.exe[1124] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00C90000
.text C:\Windows\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00C90011
.text C:\Windows\System32\svchost.exe[1124] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00CA0000
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 0078000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 0077000A
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 011F00A2
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 011F0087
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 011F00D5
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 011F00C4
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 011F0F88
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 011F0047
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 011F0FA3
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 011F0FCA
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 011F0F77
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 011F006C
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 011F0FDB
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 011F0F5C
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 011F0F23
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 011F0025
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 011F0000
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 011F0036
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!WinExec 769154FF 5 Bytes JMP 011F00B3
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 011E003F
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!system 76828B63 5 Bytes JMP 011E002E
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 011E001D
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 011E000C
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 011E0FBE
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 011E0FE3
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 011D0051
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 011D0040
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 011D0FEF
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 011D0FAF
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 011D0F94
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 011D0FD4
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 011D000A
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 011D002F
.text C:\Windows\system32\svchost.exe[1184] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01440FEF
.text C:\Windows\system32\svchost.exe[1184] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01440FD4
.text C:\Windows\system32\svchost.exe[1184] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 01440000
.text C:\Windows\system32\svchost.exe[1184] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 01440FB9
.text C:\Windows\system32\svchost.exe[1184] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01450000
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00A700AE
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00A7009D
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00A700DA
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00A700C9
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00A7008C
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00A70039
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00A7006F
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00A7005E
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00A70F8D
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00A70FB2
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00A70FCD
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00A70F7C
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00A700F5
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00A70FEF
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00A70000
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00A70FDE
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00A70F4D
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00A20FB7
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!system 76828B63 5 Bytes JMP 00A20042
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00A2000C
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00A20FE3
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00A20027
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00A20FD2
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 008C0FB9
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 008C004A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 008C000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 008C005B
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 008C0076
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 008C0FE5
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 008C001B
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 008C0FD4
.text C:\Windows\system32\svchost.exe[1308] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A80000
.text C:\Windows\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A8001B
.text C:\Windows\system32\svchost.exe[1308] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A80FE5
.text C:\Windows\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A80FCA
.text C:\Windows\system32\svchost.exe[1308] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00A90FEF
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00C500CB
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00C500B0
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00C50F59
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00C500E6
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00C50F8F
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00C5002C
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00C50069
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00C5004E
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00C5008E
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00C50FAC
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00C5003D
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00C5009F
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00C5010B
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00C50FEF
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00C50000
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00C5001B
.text C:\Windows\system32\svchost.exe[1448] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00C50F6A
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00C0006B
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!system 76828B63 5 Bytes JMP 00C00050
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00C0002E
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00C00000
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00C0003F
.text C:\Windows\system32\svchost.exe[1448] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00C0001D
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020065
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020FC3
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020FB2
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020036
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0002001B
.text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020FE5
.text C:\Windows\system32\svchost.exe[1448] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00CA0FEF
.text C:\Windows\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00CA0FCA
.text C:\Windows\system32\svchost.exe[1448] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00CA0000
.text C:\Windows\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00CA0FAF
.text C:\Windows\system32\svchost.exe[1448] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0104000A
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00A4005B
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00A40F1F
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00A40076
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00A40EDF
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00A40F5C
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00A4002C
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00A40F83
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00A40FAF
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00A40F41
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00A40F94
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00A40FC0
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00A40F30
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 768CB8B6 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!GetProcAddress + 3 768CB8B9 2 Bytes [17, 8A]
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00A40011
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00A40000
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00A40FE5
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00A40EF0
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00930064
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!system 76828B63 5 Bytes JMP 00930053
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 0093001D
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00930FEF
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00930038
.text C:\Windows\system32\svchost.exe[1596] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 0093000C
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00780FB9
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00780FD4
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00780FEF
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0078005B
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00780080
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00780025
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0078000A
.text C:\Windows\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00780036
.text C:\Windows\system32\svchost.exe[1596] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00A90000
.text C:\Windows\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00A9001B
.text C:\Windows\system32\svchost.exe[1596] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00A90FDB
.text C:\Windows\system32\svchost.exe[1596] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00A90FCA
.text C:\Windows\system32\svchost.exe[1596] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00BE0FE5
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 00CA0F37
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00CA007D
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 00CA0F0B
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00CA0098
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00CA0062
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00CA0FAF
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00CA0F7E
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 00CA0036
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 00CA0F6D
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00CA0047
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 00CA001B
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 00CA0F52
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00CA0EF0
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00CA0FE5
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00CA0000
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 00CA0FCA
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!WinExec 769154FF 5 Bytes JMP 00CA0F1C
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00C40042
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!system 76828B63 5 Bytes JMP 00C40FB7
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00C40FD2
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00C4000C
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00C40027
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00C40FE3
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00760047
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00760FA5
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00760000
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0076002C
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00760062
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00760FCA
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00760FDB
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 0076001B
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01580000
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01580FE5
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0158001B
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 01580FD4
.text C:\Windows\system32\svchost.exe[1868] WS2_32.dll!socket 77D236D1 3 Bytes JMP 015E0000
.text C:\Windows\system32\svchost.exe[1868] WS2_32.dll!socket + 4 77D236D5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 0087007A
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 00870069
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 008700A6
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 00870F0F
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 00870F48
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 00870FB9
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 00870F6F
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 0087002C
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 0087003D
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 00870F8A
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 0087001B
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 0087004E
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 00870EFE
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 00870FDE
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 00870FEF
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 0087000A
.text C:\Windows\system32\svchost.exe[2196] kernel32.dll!WinExec 769154FF 5 Bytes JMP 0087008B
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 006F0047
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!system 76828B63 5 Bytes JMP 006F0036
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 006F000A
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 006F0025
.text C:\Windows\system32\svchost.exe[2196] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 006F0FD2
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 0001004A
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00010F97
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[2196] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[2196] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00880000
.text C:\Windows\system32\svchost.exe[2196] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00880025
.text C:\Windows\system32\svchost.exe[2196] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00880FEF
.text C:\Windows\system32\svchost.exe[2196] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 00880036
.text C:\Windows\system32\svchost.exe[2196] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00890FE5
.text C:\Windows\Explorer.EXE[2528] ntdll.dll!NtProtectVirtualMemory 77C18968 5 Bytes JMP 0022000A
.text C:\Windows\Explorer.EXE[2528] ntdll.dll!NtWriteVirtualMemory 77C192A8 5 Bytes JMP 0023000A
.text C:\Windows\Explorer.EXE[2528] ntdll.dll!KiUserExceptionDispatcher 77C199E8 5 Bytes JMP 0021000A
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 03A10093
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 03A10078
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 03A10F17
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 03A10F28
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 03A10031
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 03A10FA8
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 03A10F57
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 03A1000A
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 03A10042
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 03A10F68
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 03A10F83
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 03A1005D
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 03A100C9
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 03A10FCA
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 03A10FE5
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 03A10FB9
.text C:\Windows\Explorer.EXE[2528] kernel32.dll!WinExec 769154FF 5 Bytes JMP 03A100A4
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 02400051
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 0240002F
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 02400FEF
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 02400040
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 02400F94
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 02400014
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 02400FD4
.text C:\Windows\Explorer.EXE[2528] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 02400FC3
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 03A00F9A
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!system 76828B63 5 Bytes JMP 03A0002F
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 03A00000
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 03A00FE3
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 03A00FB5
.text C:\Windows\Explorer.EXE[2528] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 03A00FD2
.text C:\Windows\Explorer.EXE[2528] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 03A20000
.text C:\Windows\Explorer.EXE[2528] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 03A2002C
.text C:\Windows\Explorer.EXE[2528] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 03A2001B
.text C:\Windows\Explorer.EXE[2528] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 03A20FDB
.text C:\Windows\Explorer.EXE[2528] WS2_32.dll!socket 77D236D1 5 Bytes JMP 03CF0000
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 012C0F66
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 012C00B6
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 012C0F44
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 012C0F55
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 012C0F9C
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 012C0FC3
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 012C0080
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 012C0054
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 012C0091
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 012C006F
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 012C002F
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 012C0F81
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 012C00F6
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 012C000A
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 012C0FEF
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 012C0FD4
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!WinExec 769154FF 5 Bytes JMP 012C00C7
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 01230F7A
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!system 76828B63 5 Bytes JMP 01230F8B
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 01230FB7
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 01230FE3
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 01230FA6
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 01230FD2
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 011B006C
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 011B0051
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 011B0000
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 011B0FC0
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 011B0FA5
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 011B0025
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 011B0FEF
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 011B0040
.text C:\Windows\system32\svchost.exe[2572] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 01310FEF
.text C:\Windows\system32\svchost.exe[2572] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 01310FD4
.text C:\Windows\system32\svchost.exe[2572] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 0131000A
.text C:\Windows\system32\svchost.exe[2572] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 0131002F
.text C:\Windows\system32\svchost.exe[2572] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01360FE5
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 001A008C
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 001A0F46
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001A0EFF
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001A0F1A
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 001A0060
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 001A0FB2
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 001A004F
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 001A0028
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 001A0F61
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 001A0F86
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 001A0F97
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 001A0071
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 001A0EEE
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 001A0FD4
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 001A0FC3
.text C:\Windows\system32\svchost.exe[2712] kernel32.dll!WinExec 769154FF 5 Bytes JMP 001A0F2B
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 00190044
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!system 76828B63 5 Bytes JMP 00190033
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 00190FCD
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 00190022
.text C:\Windows\system32\svchost.exe[2712] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 0002006C
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FCA
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 00020000
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020051
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020FAF
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FE5
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 0002001B
.text C:\Windows\system32\svchost.exe[2712] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020036
.text C:\Windows\system32\svchost.exe[2712] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[2712] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\svchost.exe[2712] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 000A0FE5
.text C:\Windows\system32\svchost.exe[2712] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 000A001B
.text C:\Windows\system32\svchost.exe[2712] WS2_32.dll!socket 77D236D1 5 Bytes JMP 0001000A
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!GetStartupInfoW 76881929 5 Bytes JMP 001B008C
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!GetStartupInfoA 768819C9 5 Bytes JMP 001B0F46
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateProcessW 76881C01 5 Bytes JMP 001B0F1A
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateProcessA 76881C36 5 Bytes JMP 001B00A7
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!VirtualProtect 76881DD1 5 Bytes JMP 001B0060
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateNamedPipeW 76885C44 5 Bytes JMP 001B001E
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!LoadLibraryExW 768A30C3 5 Bytes JMP 001B0F86
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!LoadLibraryW 768A361F 5 Bytes JMP 001B0FB2
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!VirtualProtectEx 768A8D7E 5 Bytes JMP 001B0F6B
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!LoadLibraryExA 768A9469 5 Bytes JMP 001B0F97
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!LoadLibraryA 768A9491 5 Bytes JMP 001B002F
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreatePipe 768B0284 5 Bytes JMP 001B007B
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!GetProcAddress 768CB8B6 5 Bytes JMP 001B00C2
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateFileW 768CCC4E 5 Bytes JMP 001B0FDE
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateFileA 768CCF71 5 Bytes JMP 001B0FEF
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!CreateNamedPipeA 7691430E 5 Bytes JMP 001B0FCD
.text C:\Windows\System32\svchost.exe[2740] kernel32.dll!WinExec 769154FF 5 Bytes JMP 001B0F2B
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!_wsystem 76828A47 5 Bytes JMP 001A0FC3
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!system 76828B63 5 Bytes JMP 001A0FD4
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!_creat 7682C6F1 5 Bytes JMP 001A0029
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!_open 7682DA7E 5 Bytes JMP 001A0FEF
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!_wcreat 7682DC9E 5 Bytes JMP 001A003A
.text C:\Windows\System32\svchost.exe[2740] msvcrt.dll!_wopen 7682DE79 5 Bytes JMP 001A0018
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegCreateKeyExA 7669B5E7 5 Bytes JMP 00020F8D
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegCreateKeyA 7669B8AE 5 Bytes JMP 00020FB9
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegOpenKeyA 766A0BF5 5 Bytes JMP 0002000A
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegCreateKeyW 766AB83D 5 Bytes JMP 00020F9E
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegCreateKeyExW 766ABCE1 5 Bytes JMP 00020F72
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegOpenKeyExA 766AD4E8 5 Bytes JMP 00020FEF
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegOpenKeyW 766B3CB0 5 Bytes JMP 00020025
.text C:\Windows\System32\svchost.exe[2740] ADVAPI32.dll!RegOpenKeyExW 766BF09D 5 Bytes JMP 00020FD4
.text C:\Windows\System32\svchost.exe[2740] WININET.dll!InternetOpenA 76A10A4D 5 Bytes JMP 00310000
.text C:\Windows\System32\svchost.exe[2740] WININET.dll!InternetOpenUrlA 76A12713 5 Bytes JMP 00310FDE
.text C:\Windows\System32\svchost.exe[2740] WININET.dll!InternetOpenW 76A130C8 5 Bytes JMP 00310FEF
.text C:\Windows\System32\svchost.exe[2740] WININET.dll!InternetOpenUrlW 76A684F1 5 Bytes JMP 0031002F

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8542FEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\pci.sys suspicious modification
File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

WINDOWS IN SAFE MODE:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-10 17:32:47
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85428EE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 18:04:25
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\gary\AppData\Local\Temp\uwlciuog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\pci.sys entry point in ".rsrc" section [0x80705014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 77A08968 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtWriteVirtualMemory 77A092A8 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!KiUserExceptionDispatcher 77A099E8 5 Bytes JMP 0015000A
.text C:\Windows\Explorer.EXE[1824] ntdll.dll!NtProtectVirtualMemory 77A08968 5 Bytes JMP 008C000A
.text C:\Windows\Explorer.EXE[1824] ntdll.dll!NtWriteVirtualMemory 77A092A8 5 Bytes JMP 008D000A
.text C:\Windows\Explorer.EXE[1824] ntdll.dll!KiUserExceptionDispatcher 77A099E8 5 Bytes JMP 008B000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\fastfat \Fat 96F1BA7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85428EE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\pci.sys suspicious modification
File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 10 May 2010 - 08:24 PM

Hello looks like we will need to replace a few files. As these can kill your PC. I want you to do it with an assistant.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the COMBOfIX if you have it and the last GMER log you posted above.
Let me know if that went well.

Edited by boopme, 10 May 2010 - 08:25 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 11 May 2010 - 08:37 AM

OK - I posted the DSS logs and the last GMER log in the other forum, as I mentioned there I could not locate the Combofix log that I generated last week, if you can give me a file name or default location I could probably find it but I am not inclined to re-run Combofix without some hand-holding this time.

#13 GEA@Eaton

GEA@Eaton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 11 May 2010 - 11:24 AM

I did finally find my Combofix log and I posted it in the logs forum

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 11 May 2010 - 02:12 PM

Looks good,I've combined your posts into one.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users