Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdss.tdl4 removal help


  • This topic is locked This topic is locked
3 replies to this topic

#1 jmillerofthewood

jmillerofthewood

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 23 September 2010 - 03:27 PM

Ok,
I have a Dell inspiron 6400 laptop running XP sp2.
After auto downloading sp3, the laptop would not boot in any mode.
I reinstalled sp2 and began to notice a lot of redirects from browser searches.

I have run Mbam, Hijack This, DDS, GMER, Super anti Spyware& Tdss Killer

Some things have been detected & 'corrected', but the tdss still appears in subsequent tdsskiller scans.
(tdss.tdl4 (Hard Drive0/MBR)

Below is a DDS and GMER log. I have logs from Mbam, Hijack this & Tdss Killer if needed as well.

I would appreciate any help. I have two other computers showing signs of similar infection, but will tackle this one first.

Thank you very much.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Norman Crow at 15:31:46.89 on Wed 09/22/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.763 [GMT -5:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\AOL\1174849192\ee\AOLSoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TDxVGAUTIL.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Norman Crow\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100803111818.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HostManager] c:\program files\common files\aol\1174849192\ee\AOLSoftware.exe
mRun: [TDxVGAUTIL] c:\windows\system32\TDxVGAUTIL.EXE
mRun: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [QuickBooksDB19] c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -n qb_nlaptop_19 -qs -gd all -gk all -gp 4096 -gu all -ch 128m -c 64m -x tcpip(broadcastlistener=no;port=55333) -ti 0 -ec simple -qi -qw -tl 120 -oe c:\docume~1\alluse~1\applic~1\intuit\quickb~2\DBSTAR~1.LOG -y
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [SigmatelSysTrayApp] stsystra.exe
StartupFolder: c:\docume~1\norman~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mile.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {54A35DCA-211D-48CA-B618-CC0777B7DDB0} = 66.184.128.38,207.230.75.50
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {FDC32A47-A70D-4F9E-97DD-7E08EA9C6BF8} - rundll32.exe "c:\documents and settings\norman crow\application data\bitrix security\fadosvlk.dll", DllUnrer

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\norman~1\applic~1\mozilla\firefox\profiles\7enaiomx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-2-20 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-2-20 14144]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-2-20 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-2-20 282824]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-15 1247600]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2008-2-20 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2008-2-20 35272]
R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [2007-3-29 233984]
R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2007-3-29 234496]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2007-3-29 27135]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2008-2-20 34248]
S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [2007-3-29 22528]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

=============== Created Last 30 ================

2010-09-22 16:18:14 0 d-----w- c:\program files\Trend Micro
2010-09-21 16:58:50 0 d-----w- C:\TDSSKiller_Quarantine
2010-09-21 14:28:11 0 d-----w- c:\windows\pss
2010-09-21 13:26:50 0 d-----w- c:\docume~1\norman~1\applic~1\Bitrix Security
2010-09-21 04:31:27 47616 ---ha-w- c:\windows\system32\boots-sd.dll
2010-09-20 15:43:50 0 d-----w- c:\docume~1\norman~1\applic~1\SUPERAntiSpyware.com
2010-09-20 15:43:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-20 15:43:41 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-19 12:47:49 926 ----a-w- C:\MFW8.xml
2010-09-19 00:25:27 1630 ----a-w- C:\MFW7.xml
2010-09-18 22:38:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 22:38:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 19:59:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-18 19:59:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-18 13:41:37 0 d-----w- c:\windows\system32\LogFiles
2010-09-18 13:41:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-09-18 00:03:02 0 d-----w- C:\9a9d5fba148b37cfcfc75b
2010-09-17 16:17:31 0 d-----w- c:\docume~1\norman~1\applic~1\Malwarebytes
2010-09-17 16:17:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 16:17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 16:17:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-17 16:17:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 12:19:59 4096 -c--a-w- c:\windows\system32\dllcache\rpcref.dll
2010-09-17 12:18:59 81976 -c--a-w- c:\windows\system32\dllcache\imjpdct.dll
2010-09-17 12:17:59 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-09-17 12:16:59 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll
2010-09-17 12:14:40 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-09-17 12:14:32 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-09-17 12:14:09 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-17 12:13:32 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-09-17 12:13:31 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-09-17 12:13:31 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-09-17 12:13:31 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-09-16 16:26:24 2145386496 ----a-w- c:\windows\MEMORY.DMP
2010-09-16 16:26:24 0 d-----w- c:\windows\dell

==================== Find3M ====================

2010-09-17 12:12:21 23428 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-08-31 20:18:16 6840 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:43:50.79 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 11:43:19
Windows 5.1.2600 Service Pack 2
Running: mj97nhtw.exe; Driver: C:\DOCUME~1\NORMAN~1\LOCALS~1\Temp\fxddqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1347620]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB128878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1288738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB128874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB12887CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1288710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1288724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB128879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB1288776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB1288762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB12887F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB12887E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB12887B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503DD0 7 Bytes JMP B12887B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577E48 5 Bytes JMP B128878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B09B6 7 Bytes JMP B12887CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B17C4 5 Bytes JMP B12887E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6D8A 7 Bytes JMP B12887A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9C64 5 Bytes JMP B1288714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C9EF0 5 Bytes JMP B1288728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC6AE 5 Bytes JMP B1288766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF984 7 Bytes JMP B1288750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFA3A 5 Bytes JMP B128873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805CFF5C 5 Bytes JMP B128877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D118C 5 Bytes JMP B12887FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 011F0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 011F0FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 011F00AE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 011F0087
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 011F0076
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 011F004A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011F00C9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 011F0F81
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 011F00F5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 011F00DA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 011F0106
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 011F005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 011F0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 011F0FA8
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 011F0025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 011F0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 011F0F66
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 011E001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 011E006C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 011E000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 011E0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 011E0051
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 011E0FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 011E0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 011E0036
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011D0031
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!system 77C293C7 5 Bytes JMP 011D0FA6
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011D0FB7
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011D0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011D0016
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011D0FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 011C0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 011C0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 011C0025
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 011C0040
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WS2_32.dll!socket 01143B91 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01370000
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01370F91
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01370FB6
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01370084
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01370069
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01370058
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013700C6
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01370F80
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013700FC
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01370F63
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01370117
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01370FD1
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01370011
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 013700A1
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01370033
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01370022
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 013700E1
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30FB4
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D3003F
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D3001D
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D3002E
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01360025
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01360F8D
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01360FD4
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01360FEF
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0136004A
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01360FA8
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0136000A
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01360FB9
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0F52
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F6D
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE0076
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE0F24
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE0EF8
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE0091
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00FE00AC
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00FE0F41
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00FE0F09
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D30F79
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D30025
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D30F94
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D30FA5
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20027
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20FA6
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC1
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20016
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 024A004A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 024A0F4B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 024A002F
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 024A0F72
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 024A0F9E
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024A005B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024A0F13
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024A0076
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024A0EDD
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 024A0EC2
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 024A0F8D
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 024A0FDE
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 024A0F3A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 024A0014
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 024A0FC3
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 024A0EF8
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02480FCA
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0248006C
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02480025
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02480051
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02480040
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0248000A
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02480FB9
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02470FAD
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 02470038
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02470FD9
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0247000C
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02470FC8
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0247001D
.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 02460FEF
.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 0246000A
.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 02460FD4
.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 0246001B
.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02450FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EB0080
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EB005B
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EB004A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EB0F8D
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EB0F53
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EB009B
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EB00E2
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EB00D1
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00EB0F24
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00EB0F70
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00EB00C0
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EA0011
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EA0065
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EA0F9E
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EA0040
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EA0FAF
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E9002F
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FA4
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FC6
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FE3
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FB5
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E7000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A9000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A7000C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03A20FE5
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03A20053
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03A20038
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03A20F5E
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03A20F79
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03A20FA5
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03A20089
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03A20F43
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 03A20F0B
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03A20F1C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 03A20EF0
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 03A20F8A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 03A20FCA
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 03A2006E
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 03A20011
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 03A20000
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 03A2009A
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 03A10011
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 03A10062
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 03A10FCA
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 03A10FE5
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 03A10047
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 03A10036
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 03A10000
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 03A10FA5
.text C:\WINDOWS\System32\svchost.exe[1164] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 015F000A
.text C:\WINDOWS\System32\svchost.exe[1164] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 014B000A
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03A00053
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 03A00042
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03A00FC8
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03A00000
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03A0001D
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03A00FE3
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 039F000A
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 039F0025
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 039F0036
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 039F0047
.text C:\WINDOWS\System32\svchost.exe[1164] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 039E0FEF
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A60FAF
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A600A4
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A60FC0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A60073
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A60051
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A600ED
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A600DC
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A60F6F
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A60F8A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A60F54
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A60062
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A60025
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A600B5
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A60040
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A60108
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A50F7C
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A50039
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40038
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40FA3
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FD9
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A4000C
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FC8
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A4001D
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E70F64
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E70F75
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E70F86
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E70039
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E70F49
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E7008F
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E700B6
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E70F1D
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00E70F02
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00E70F97
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00E70074
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00E70FC3
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00E70F38
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E60025
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E60054
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50047
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FB2
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50022
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FCD
.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00E40014
.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00E40FC3
.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20098
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A2007D
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20062
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A20051
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F6D
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A200B5
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A200F5
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A200DA
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A20F41
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A20040
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A20F88
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A20F5C
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10076
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FB7
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00038
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A0001D
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 009F0025
.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 01C3000A
.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 01C4000A
.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0157000C
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01E30000
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01E30090
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E30F9B
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01E30FB6
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01E30073
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01E30051
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01E300D2
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01E300B7
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01E300E3
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01E30F54
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01E30F25
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01E30062
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01E3001B
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01E30F8A
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01E30036
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01E30FE5
.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 01E30F6F
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E10053
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E10042
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E10FD2
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E10FEF
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E10031
.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E10000
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01E2001E
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01E2004A
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01E20FC3
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01E20FD4
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01E20F8D
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01E2002F
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01E20FEF
.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01E20FA8
.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01E00000
.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01E0001B
.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01E00036
.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01E00047
.text C:\WINDOWS\Explorer.EXE[2144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01DF0FE5
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 24 September 2010 - 12:02 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 27 September 2010 - 02:34 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 30 September 2010 - 05:32 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users