Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect & unable to update windows


  • This topic is locked This topic is locked
2 replies to this topic

#1 anto987

anto987

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 21 May 2010 - 08:43 PM

Hi,
I have a problem that when i click on any link on a search site, i get redirected to another site. Also i am unable to update windows. i can open other sites expect windows update website. I have tried differnt anti-malwares but the problem is not solved yet. I ran DDS, GMER and combofix. After running combofix still i am not able to downlaod windows updates. here are the log files.

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by chris at 16:41:58.81 on 21/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.397 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Documents and Settings\chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [nwiz] nwiz.exe /install
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.cric7.com/vjocx-en-black.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\k90etxio.default\
FF - plugin: c:\documents and settings\chris\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\chris\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-15 343664]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-10-15 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-1-6 70728]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2010-2-2 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-2-2 65856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-15 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-15 43288]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.cfxxe" exec /i "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combofix\PEV.cfxxe [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-1-6 65448]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-7-8 91830]

=============== Created Last 30 ================

2010-05-21 19:54:27 0 d-sha-r- C:\cmdcons
2010-05-21 19:50:39 77312 ----a-w- c:\windows\MBR.exe
2010-05-21 19:50:34 256512 ----a-w- c:\windows\PEV.exe
2010-05-21 19:50:34 161792 ----a-w- c:\windows\SWREG.exe
2010-05-21 19:50:33 98816 ----a-w- c:\windows\sed.exe
2010-05-21 12:14:49 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2010-05-21 12:14:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-20 21:17:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-20 21:17:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-20 03:35:08 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2010-05-20 03:35:08 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-05-20 03:34:06 0 d-----w- c:\program files\common files\Nitro PDF
2010-05-20 03:33:01 0 d-----w- c:\program files\Nitro PDF
2010-05-20 03:26:55 0 d-----w- c:\docume~1\chris\applic~1\Downloaded Installations
2010-05-16 01:30:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2010-05-16 01:07:59 98816 ----a-w- c:\windows\system32\dllcache\dmstyle.dll
2010-05-16 00:59:45 0 d-----w- c:\program files\Microsoft Games
2010-05-16 00:49:13 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-15 17:35:20 0 d-----w- c:\program files\Microsoft
2010-04-27 18:22:38 0 d-----w- c:\windows\system32\TVUAx
2010-04-23 18:46:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2007-05-06 22:08:18 22 -csha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 16:44:04.32 ===============


ark.txt


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-21 20:02:10
Windows 5.1.2600 Service Pack 3
Running: 95tk4c65.exe; Driver: C:\DOCUME~1\chris\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF71757B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7175676]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7175610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF7175624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF717568A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF71756B6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7175724]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF717570E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF717573A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF71757F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF7175766]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7175662]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF71755D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF71755E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF71757CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF71757A2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF71756F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF71756E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF71756A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF717578E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF717577A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF717564E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF717563A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF71756CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7175827]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7175750]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF717580E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF71757E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5C7F360, 0x221BBD, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF7A43C14]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0169009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690FB6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01690073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01690047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016900BF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01690F79
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01690F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01690F15
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01690000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01690F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01690036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0169001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01690F52
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01680FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01680FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01680025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01680014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01680FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01680FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01680FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0168004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01670042
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!system 77C293C7 5 Bytes JMP 01670FC1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0167001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01670FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01670FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01670000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01660000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01650000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01650FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01650FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[376] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01650FB9
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410000
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0141007D
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0141006C
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01410051
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01410F94
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410025
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F5C
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01410F6D
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01410F26
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01410F37
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01410F0B
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410036
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01410FEF
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0141008E
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410FC3
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01410FD4
.text C:\WINDOWS\system32\services.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014100B5
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0140002C
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01400F8A
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01400FDB
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01400011
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01400F9B
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01400000
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01400FB6
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [60, 89]
.text C:\WINDOWS\system32\services.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0140003D
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013F0FB2
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 013F003D
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013F0011
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013F0FEF
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013F0022
.text C:\WINDOWS\system32\services.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013F0000
.text C:\WINDOWS\system32\services.exe[948] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[948] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[948] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[948] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013E000A
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0109008A
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0109006F
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0109005E
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090FA1
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0109002F
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010900D1
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010900C0
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0109010E
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010900F3
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01090F64
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090FB2
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010900A5
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FC3
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090FD4
.text C:\WINDOWS\system32\lsass.exe[960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010900E2
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01080047
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080073
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0108002C
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01080011
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01080FC0
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01080062
.text C:\WINDOWS\system32\lsass.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01080FE5
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01070FC3
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070FD4
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01070029
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0107000C
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0107004E
.text C:\WINDOWS\system32\lsass.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\lsass.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[960] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\lsass.exe[960] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\lsass.exe[960] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\lsass.exe[960] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01050FCA
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0F7A
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF006F
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0F97
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0FA8
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FC3
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F47
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F58
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00AA
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF0F11
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0F00
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF004A
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0014
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0F69
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0FD4
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0025
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F2C
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0FC7
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE004E
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0022
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE003D
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DE0F9B
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FE, 88]
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0FB6
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0058
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0047
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD002C
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FD7
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0011
.text C:\WINDOWS\system32\svchost.exe[1140] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1140] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1140] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DB001B
.text C:\WINDOWS\system32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40F97
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D4008C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40FB2
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40065
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D400B8
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400A7
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D400EE
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40F55
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40F44
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40054
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40F7C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D400C9
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30047
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30FAF
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D3002C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D3006C
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20055
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20044
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20029
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F400A7
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40FB2
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F4008C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F6B
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F7C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F3F
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400D8
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F400F3
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40F8D
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F4005B
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F5A
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3006C
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20F9C
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FB7
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FD2
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20027
.text C:\WINDOWS\system32\svchost.exe[1192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FE3
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F00011
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F0003D
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 053C0000
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 053C0090
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 053C0F9B
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 053C007F
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 053C0058
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 053C002C
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 053C00BE
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 053C0F76
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 053C0F39
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 053C0F54
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 053C00F7
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 053C0047
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 053C0FE5
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 053C00A1
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 053C0011
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 053C0FCA
.text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 053C0F65
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 053B0FDE
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 053B0065
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 053B0FEF
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 053B001B
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 053B0FA8
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 053B000A
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 053B004A
.text C:\WINDOWS\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 053B0FCD
.text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 04A5000A
.text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 04A4000A
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 050C0066
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 050C0055
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 050C003A
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 050C0000
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 050C0FEF
.text C:\WINDOWS\System32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 050C0029
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 050A0000
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 050A0011
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 050A0022
.text C:\WINDOWS\System32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 050A0FD1
.text C:\WINDOWS\System32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 050B0000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80043
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F58
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F69
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F86
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80FA8
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80054
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F0C
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80EE0
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A8006F
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80094
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80F97
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F33
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80014
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FC3
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80EF1
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70076
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A7005B
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A7004A
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70039
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FA6
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60031
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FC1
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60020
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FD2
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F83
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80078
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80067
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C8009F
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F57
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800BA
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F21
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800CB
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F72
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F3C
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70014
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C7006C
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C7005B
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C7004A
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60053
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60042
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C6000C
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60027
.text C:\WINDOWS\system32\svchost.exe[1404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0028
.text C:\WINDOWS\system32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F63
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0058
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F7E
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FA5
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0084
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0073
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00BA
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00A9
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00D5
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE002C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F48
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F21
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F68
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F83
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0038
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FB7
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB001D
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B90FCD
.text C:\WINDOWS\system32\svchost.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00B9001E
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 036B0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 036B0F5C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 036B0051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 036B0F77
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 036B0F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 036B0FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 036B0087
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 036B006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 036B00B3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 036B0F24
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 036B00C4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 036B0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 036B000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 036B0F41
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 036B0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 036B002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 036B00A2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 036A0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 036A0FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 036A002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 036A0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 036A0FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 036A0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 036A0062
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 036A0047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03690047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!system 77C293C7 5 Bytes JMP 03690036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03690FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03690FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03690FBC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03690FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03680FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03670FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03670FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03670014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1964] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03670039
.text C:\WINDOWS\Explorer.EXE[2516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[2516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02650000
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02650F70
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0265006F
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650F97
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650FA8
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02650025
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02650F31
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650F42
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02650F16
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026500AF
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650F05
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650040
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650FE5
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650F5F
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02650FB9
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02650FD4
.text C:\WINDOWS\Explorer.EXE[2516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02650094
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02640FB9
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02640F6F
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0264000A
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02640FCA
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0264002C
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02640FE5
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02640F94
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 8A]
.text C:\WINDOWS\Explorer.EXE[2516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0264001B
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0263005D
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!system 77C293C7 5 Bytes JMP 02630038
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630FD2
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0263000C
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02630027
.text C:\WINDOWS\Explorer.EXE[2516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630FE3
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02600FEF
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02600FD4
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0260000A
.text C:\WINDOWS\Explorer.EXE[2516] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0260001B
.text C:\WINDOWS\Explorer.EXE[2516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0261000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\nvata \Device\Harddisk0\DR0 8553BCEC

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x8C 0x62 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x40 0x27 0xFF 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x8C 0x62 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x40 0x27 0xFF 0xCB ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----


CFScript.txt

ComboFix 10-05-20.A4 - chris 21/05/2010 20:32:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.480 [GMT -4:00]
Running from: c:\documents and settings\chris\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\vb40032.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 12:14 . 2010-05-21 12:14 -------- d-----w- c:\documents and settings\chris\Application Data\Malwarebytes
2010-05-21 12:14 . 2010-05-21 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 10:19 . 2010-05-21 10:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-20 21:17 . 2010-05-21 14:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-20 21:17 . 2010-05-21 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-20 19:52 . 2010-05-20 19:52 -------- d-----w- c:\documents and settings\chris\Local Settings\Application Data\Threat Expert
2010-05-20 03:39 . 2010-05-20 03:39 -------- d-----w- c:\documents and settings\chris\Application Data\Nitro PDF
2010-05-20 03:35 . 2010-02-02 16:33 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-05-20 03:35 . 2010-02-02 16:33 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2010-05-20 03:34 . 2010-05-20 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2010-05-20 03:34 . 2010-05-20 03:34 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-05-20 03:33 . 2010-05-20 03:33 -------- d-----w- c:\program files\Nitro PDF
2010-05-20 03:26 . 2010-05-20 03:26 -------- d-----w- c:\documents and settings\chris\Application Data\Downloaded Installations
2010-05-16 01:30 . 2010-05-16 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3
2010-05-16 01:07 . 2004-07-09 08:27 181248 ----a-w- c:\windows\system32\dllcache\dmime.dll
2010-05-16 00:59 . 2010-05-16 00:59 -------- d-----w- c:\program files\Microsoft Games
2010-05-16 00:49 . 2010-05-16 00:49 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-15 18:07 . 2010-05-15 18:07 -------- d-----w- c:\documents and settings\chris\Local Settings\Application Data\eyuoipjcq
2010-05-15 17:35 . 2010-05-15 17:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-15 17:35 . 2010-05-15 17:52 -------- d-----w- c:\program files\Microsoft
2010-05-15 14:53 . 2010-05-15 14:54 5642000 ----a-w- c:\documents and settings\chris\Application Data\TVU networks\AutoUpgrade\TVUPlayer2.5.3.1.exe
2010-04-27 18:22 . 2010-04-27 18:22 -------- d-----w- c:\windows\system32\TVUAx
2010-04-23 18:46 . 2010-04-23 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 13:11 . 2009-11-18 22:53 -------- d-----w- c:\documents and settings\chris\Application Data\vlc
2010-05-21 10:19 . 2009-12-06 06:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-20 22:44 . 2009-03-31 03:17 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-20 22:44 . 2009-02-09 18:39 -------- d-----w- c:\documents and settings\chris\Application Data\SpinTop
2010-05-20 22:39 . 2010-03-15 16:19 -------- d-----w- c:\program files\ForceTSPlayer
2010-05-20 20:45 . 2009-02-07 23:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-16 01:24 . 2006-07-22 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\chris\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-16 13:34 . 2010-03-25 19:22 439816 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\setup.exe
2010-03-27 16:24 . 2009-05-02 15:11 -------- d-----w- c:\documents and settings\chris\Application Data\TVU networks
2010-03-26 03:25 . 2010-03-26 03:24 20846064 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-26 03:24 . 2010-03-26 03:24 8405312 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-26 03:24 . 2010-03-26 03:24 149000 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-26 03:24 . 2010-03-26 03:23 10309448 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-26 03:23 . 2010-03-26 03:23 79368 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-26 03:23 . 2010-03-26 03:23 64000 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-26 03:23 . 2010-03-26 03:23 52288 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-26 03:23 . 2010-03-26 03:23 50688 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-26 03:23 . 2010-03-26 03:23 49152 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-26 03:23 . 2010-03-26 03:23 118784 ----a-w- c:\documents and settings\chris\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-10 06:15 . 2004-08-04 21:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 22:15 . 2010-03-03 22:15 5270157 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Evaluation\EPOAGENT3000\Install\0409\FramePkg.exe
2010-02-25 06:24 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-01-19 12:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-05-06 22:08 . 2008-07-16 04:56 22 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-25 7569408]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-16 124224]
"nwiz"="nwiz.exe" [2006-08-25 1617920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^chris^Start Menu^Programs^StartUp^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\chris\Start Menu\Programs\StartUp\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipRaider

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-05 22:31 133104 -c--atw- c:\documents and settings\chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 -c--a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-09-25 09:50 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2006-03-23 18:38 131072 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-04-12 04:54 102400 -c--a-w- c:\program files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-07 16:08 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-01-26 17:46 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SapGui\\saplogon.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\chris\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\chris\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ForceTSPlayer\\ppshell.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [31/08/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [06/01/2009 1:17 AM 70728]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [02/02/2010 12:35 PM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [02/02/2010 12:35 PM 65856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [06/01/2009 1:17 AM 65448]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [08/07/2008 11:38 PM 91830]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15/05/2010 8:49 PM 697328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\chris\Application Data\Mozilla\Firefox\Profiles\k90etxio.default\
FF - plugin: c:\documents and settings\chris\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\chris\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\chris\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\chris\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 20:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????|????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85545CEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f8852
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf71d5bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71c4a0d
SendHandler -> NDIS.sys @ 0xf71d8b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-21 20:48:42
ComboFix-quarantined-files.txt 2010-05-22 00:48

Pre-Run: 42,307,063,808 bytes free
Post-Run: 42,552,623,104 bytes free

- - End Of File - - 7729686E6C973C81C32A63E1DCB72E14


Also my tasbar and titlebar looks like win98







Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:41 PM

Posted 22 May 2010 - 06:18 PM

Hi anto987,

Welcome Malware Removal (VTSMR) forum.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Double-click to run TDLfix.exe, type the following in the command window and press Enter:

mbr

A log file opens up. please post the content to your reply.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:41 PM

Posted 30 May 2010 - 05:52 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users