Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

melware infect computer unknown type


  • This topic is locked This topic is locked
3 replies to this topic

#1 finder50

finder50

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 06 December 2010 - 07:51 PM

Hi
The IE8 browser is locked out from Microsoft web sites web pages will not load. Can't update windows. Foxfire google gets rerouted when trying to open links. I was able to remove worm.foobFace.

P.S. When I tryed to post this I was told I was time out and coulds not post off the computer.
.............................................................................................................................................................................................................................






DDS (Ver_10-12-05.01) - NTFSx86
Run by sandy at 14:48:26.52 on Mon 12/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3293.2299 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\sandy\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\sandy\appdata\roaming\mozilla\firefox\profiles\e99pulvs.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386712]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-10-8 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-10-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-10-8 144704]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-12-5 632792]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-10-8 14976]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-10-8 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-8 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-8 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-10-8 40552]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-10-8 34248]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-10-8 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-10-8 11104]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-9 1343400]

=============== Created Last 30 ================

2010-12-06 08:21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 08:21:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 06:19:58 388096 ----a-r- c:\users\sandy\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-06 06:19:58 -------- d-----w- c:\program files\Trend Micro
2010-12-06 05:36:31 -------- d-----w- c:\users\sandy\appdata\roaming\Malwarebytes
2010-12-06 05:36:25 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-06 05:36:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-06 01:00:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-06 01:00:39 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-06 00:09:19 -------- d-----w- c:\users\sandy\appdata\roaming\Registry Mechanic
2010-12-05 23:49:06 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-12-05 23:49:06 658432 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-12-05 23:49:06 506368 ----a-w- c:\windows\system32\msxml.dll
2010-12-05 23:49:06 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-12-05 23:49:06 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-12-05 23:49:06 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-12-05 23:49:06 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-05 23:49:04 -------- d-----w- c:\program files\common files\PC Tools
2010-12-05 07:00:57 -------- d-----w- c:\windows\system32\appmgmt
2010-12-03 08:53:28 -------- d-----w- c:\users\sandy\appdata\roaming\PCHC
2010-12-03 08:22:47 -------- d-----w- c:\program files\common files\Motive
2010-12-01 07:18:40 -------- d-----w- c:\users\sandy\appdata\local\ElevatedDiagnostics
2010-11-08 19:52:02 -------- d-----w- c:\users\sandy\appdata\local\Diagnostics

==================== Find3M ====================

2010-09-23 07:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-21 21:03:14 208768 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_HDS721050CLA362 rev.JP2OA3EA -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x862EA446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862f0504]; MOV EAX, [0x862f0580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8283D458] -> \Device\Harddisk0\DR0[0x862CA438]
3 CLASSPNP[0x8BAEB59E] -> ntkrnlpa!IofCallDriver[0x8283D458] -> [0x85508918]
5 ACPI[0x830463B2] -> ntkrnlpa!IofCallDriver[0x8283D458] -> \IdeDeviceP2T0L0-2[0x85E56908]
\Driver\atapi[0x862CBAA8] -> IRP_MJ_CREATE -> 0x862EA446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-2 -> \??\IDE#DiskHitachi_HDS721050CLA362________JP2OA3EA#5&142989c9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks:
user != kernel MBR !!!
sectors 976773166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 14:49:13.72 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-06 15:47:00
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort2 Hitachi_HDS721050CLA362 rev.JP2OA3EA
Running: gmer.exe; Driver: C:\Users\sandy\AppData\Local\Temp\fglcypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8BA72090]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8BA720BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BA720E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8BA720A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8BA7207C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8BA72068]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BA72111]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BA720F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BA720CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8282C148 5 Bytes JMP 8BA720D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82844599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82868F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!NtCreateFile 82A4BF0E 5 Bytes JMP 8BA72094 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82A4E495 5 Bytes JMP 8BA7206C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82A62BCD 5 Bytes JMP 8BA72115 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82A7CD6C 5 Bytes JMP 8BA720FC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82A7FF67 7 Bytes JMP 8BA720E6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82A80CD1 7 Bytes JMP 8BA720A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 82ADBE61 5 Bytes JMP 8BA720BE \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 82ADCD6F 5 Bytes JMP 8BA72080 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\Users\sandy\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[248] ntdll.dll!NtProtectVirtualMemory 76F65380 5 Bytes JMP 003B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[248] ntdll.dll!NtWriteVirtualMemory 76F65F00 5 Bytes JMP 004E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[248] ntdll.dll!KiUserExceptionDispatcher 76F66448 5 Bytes JMP 003A000A
.text C:\Windows\system32\services.exe[488] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00480087
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 004800A2
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00480F03
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 0048000A
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00480076
.text C:\Windows\system32\services.exe[488] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00480F83
.text C:\Windows\system32\services.exe[488] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00480051
.text C:\Windows\system32\services.exe[488] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 00480036
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00480FD4
.text C:\Windows\system32\services.exe[488] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 004800BD
.text C:\Windows\system32\services.exe[488] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00480F9E
.text C:\Windows\system32\services.exe[488] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 00480025
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00480FEF
.text C:\Windows\system32\services.exe[488] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 00480F39
.text C:\Windows\system32\services.exe[488] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00480FB9
.text C:\Windows\system32\services.exe[488] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 00480F28
.text C:\Windows\system32\services.exe[488] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00480F68
.text C:\Windows\system32\services.exe[488] msvcrt.dll!_open 766D7E48 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\services.exe[488] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 004E0FB2
.text C:\Windows\system32\services.exe[488] msvcrt.dll!system 7670B16F 5 Bytes JMP 004E003D
.text C:\Windows\system32\services.exe[488] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 004E0FDE
.text C:\Windows\system32\services.exe[488] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 004E0FCD
.text C:\Windows\system32\services.exe[488] msvcrt.dll!_wopen 76710570 5 Bytes JMP 004E0018
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 004D0FEF
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 004D0036
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 004D0FAF
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 004D005B
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 004D0FDE
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 004D0F9E
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 004D0014
.text C:\Windows\system32\services.exe[488] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 004D0025
.text C:\Windows\system32\services.exe[488] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00E30000
.text C:\Windows\system32\services.exe[488] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00E3001B
.text C:\Windows\system32\services.exe[488] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00E30FEF
.text C:\Windows\system32\services.exe[488] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 00E30FD4
.text C:\Windows\system32\services.exe[488] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00E20FEF
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 001D0F5E
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 001D00B6
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 001D0F21
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 001D0FCA
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 001D0087
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 001D0F79
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 001D0051
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 001D0F9E
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 001D001B
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 001D00C7
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 001D0FAF
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 001D0036
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 001D000A
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 001D0F43
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 001D0FE5
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 001D0F32
.text C:\Windows\system32\lsass.exe[512] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 001D006C
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!_open 766D7E48 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 001F0F94
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!system 7670B16F 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 001F0018
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 001F0029
.text C:\Windows\system32\lsass.exe[512] msvcrt.dll!_wopen 76710570 5 Bytes JMP 001F0FDE
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 001E002F
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 001E004A
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 001E0FA8
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 001E0014
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 001E0065
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 001E0FDE
.text C:\Windows\system32\lsass.exe[512] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 001E0FCD
.text C:\Windows\system32\lsass.exe[512] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00B60FEF
.text C:\Windows\system32\lsass.exe[512] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00B60FD4
.text C:\Windows\system32\lsass.exe[512] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00B6000A
.text C:\Windows\system32\lsass.exe[512] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 00B6001B
.text C:\Windows\system32\lsass.exe[512] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 004300C7
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 00430F72
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00430107
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00430040
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00430F9E
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!VirtualProtect 753D50AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00430FAF
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 0043007D
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0043006C
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00430FE5
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00430122
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00430FD4
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0043005B
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00430000
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 004300E2
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00430025
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 00430F83
.text C:\Windows\system32\svchost.exe[680] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 004300AC
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00450FEF
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00450FD4
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!system 7670B16F 5 Bytes JMP 0045005F
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00450033
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00450044
.text C:\Windows\system32\svchost.exe[680] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00450018
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00440FE5
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 00440FC3
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00440065
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 0044004A
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 0044000A
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00440FA8
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00440FD4
.text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00440025
.text C:\Windows\system32\svchost.exe[680] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00480000
.text C:\Windows\system32\svchost.exe[680] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00480011
.text C:\Windows\system32\svchost.exe[680] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 0048002C
.text C:\Windows\system32\svchost.exe[680] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 0048003D
.text C:\Windows\system32\svchost.exe[680] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00460000
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00210F68
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 002100D1
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00210F3C
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00210FCA
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00210091
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00210F79
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00210F94
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 00210051
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 002100E2
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00210FB9
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 00210036
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 002100AC
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 0021001B
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 00210F4D
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 0021006C
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wsystem 7670B04F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00230053
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!system 7670B16F 5 Bytes JMP 00230038
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00230027
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00230FD2
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00230FE3
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 00220040
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00220F94
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 00220FAF
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00220F83
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00220FDE
.text C:\Windows\system32\svchost.exe[760] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe[760] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00580FEF
.text C:\Windows\system32\svchost.exe[760] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00580025
.text C:\Windows\system32\svchost.exe[760] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 00580FCA
.text C:\Windows\system32\svchost.exe[760] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00360000
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00650091
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 00650F4D
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 006500D8
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00650FC3
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00650076
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 0065005B
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00650F83
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0065004A
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00650FDE
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00650F3C
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00650FA8
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0065002F
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00650FEF
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 006500A2
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00650014
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 006500BD
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00650F68
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00670000
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00670064
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!system 7670B16F 5 Bytes JMP 00670053
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 0067002E
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00670FE3
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00670011
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00660FEF
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 0066001E
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00660F8D
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 0066002F
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00660FDE
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00660054
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00660FCD
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00660FB2
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 006B0000
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 006B0FE5
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 006B001B
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 006B0FCA
.text C:\Windows\System32\svchost.exe[812] WS2_32.dll!socket 76C43F00 5 Bytes JMP 006A0000
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00560F61
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 005600DB
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 005600C0
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00560036
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00560F72
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00560FA8
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00560FB9
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0056006C
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00560011
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 005600EC
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00560FCA
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0056005B
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00560000
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 00560F46
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00560FDB
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 005600AF
.text C:\Windows\System32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00560F83
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00640000
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00640FA8
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!system 7670B16F 5 Bytes JMP 00640FC3
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00640FEF
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00640FDE
.text C:\Windows\System32\svchost.exe[896] msvcrt.dll!_wopen 76710570 5 Bytes JMP 0064001D
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00570FEF
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 0057001E
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00570F97
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 00570039
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00570FDE
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00570F86
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00570FCD
.text C:\Windows\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00570FBC
.text C:\Windows\System32\svchost.exe[896] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00670FEF
.text C:\Windows\System32\svchost.exe[896] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00670000
.text C:\Windows\System32\svchost.exe[896] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 0067001B
.text C:\Windows\System32\svchost.exe[896] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 00670036
.text C:\Windows\System32\svchost.exe[896] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00650000
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00570F76
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 005700FA
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 005700E9
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 0057002C
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00570095
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00570069
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00570F87
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0057004E
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00570000
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 0057011F
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00570FB6
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0057003D
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00570FE5
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 00570F65
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 0057001B
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 005700C4
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 0057007A
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_open 766D7E48 5 Bytes JMP 0069000C
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 0069007A
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!system 7670B16F 5 Bytes JMP 00690069
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00690033
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00690044
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00690FEF
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 00580062
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00580098
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 00580087
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00580025
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00580FDB
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00580036
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00580051
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 006B000A
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 006B0FEF
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 006B0025
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 006B0036
.text C:\Windows\system32\svchost.exe[1092] WS2_32.dll!socket 76C43F00 5 Bytes JMP 006A0FEF
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 01390F68
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 013900C7
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 01390F3C
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 01390FC3
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 01390F83
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 0139009B
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 0139008A
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 01390065
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 01390FE5
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 013900D8
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 0139002F
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0139004A
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 01390000
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 01390F57
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 01390FD4
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 013900B6
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 01390FA8
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_open 766D7E48 5 Bytes JMP 013B0FE3
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 013B0038
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system 7670B16F 5 Bytes JMP 013B0027
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 013B0016
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 013B0FC1
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wopen 76710570 5 Bytes JMP 013B0FD2
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 013A0FEF
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 013A0025
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 013A0047
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 013A0036
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 013A000A
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 013A0F94
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 013A0FD4
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 013A0FB9
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 0152000A
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 0152001B
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 0152002C
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 01520051
.text C:\Windows\system32\svchost.exe[1212] WS2_32.dll!socket 76C43F00 5 Bytes JMP 013C0000
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00200F6B
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 002000D1
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00200F46
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00200025
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00200F7C
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00200F9E
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00200076
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0020005B
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00200F2B
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00200FB9
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0020004A
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 002000AF
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00200FD4
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 002000C0
.text C:\Windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00200F8D
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00330FEF
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00330F95
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!system 7670B16F 5 Bytes JMP 00330FA6
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 0033000C
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00330FB7
.text C:\Windows\system32\svchost.exe[1464] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00330FD2
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00320000
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 0032002C
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00320062
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 00320047
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00320FDB
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00320FA5
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00320FCA
.text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00320011
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00450000
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00450FE5
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00450FD4
.text C:\Windows\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 0045001B
.text C:\Windows\system32\svchost.exe[1464] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00440000
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 001900A5
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 00190F28
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00190F4D
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00190014
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 00190F72
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 0019006F
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00190054
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0019002F
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 001900D8
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00190FB2
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 00190F8D
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 001900B6
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeA 7541D5BF 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00190FC3
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 001900C7
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00190080
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!_open 766D7E48 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 001B0FA6
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!system 7670B16F 5 Bytes JMP 001B0FB7
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 001B0FD2
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 001B0027
.text C:\Windows\system32\svchost.exe[1620] msvcrt.dll!_wopen 76710570 5 Bytes JMP 001B000C
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 001A0047
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 001A0FA5
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 001A0FC0
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 001A0062
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 001A001B
.text C:\Windows\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 001A002C
.text C:\Windows\system32\svchost.exe[1620] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 002A0FE5
.text C:\Windows\system32\svchost.exe[1620] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 002A0FD4
.text C:\Windows\system32\svchost.exe[1620] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 002A0FC3
.text C:\Windows\system32\svchost.exe[1620] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 002A0FB2
.text C:\Windows\system32\svchost.exe[1620] WS2_32.dll!socket 76C43F00 5 Bytes JMP 001C0000
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!NtProtectVirtualMemory 76F65380 5 Bytes JMP 0197000A
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!NtWriteVirtualMemory 76F65F00 5 Bytes JMP 0198000A
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!KiUserExceptionDispatcher 76F66448 5 Bytes JMP 0192000A
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 01A20F6F
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 01A20F39
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 01A200C4
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 01A20036
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 01A20F8A
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 01A20087
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 01A20FB9
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 01A20076
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 01A20FE5
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 01A200E9
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 01A20FD4
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 01A2005B
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 01A2000A
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 01A200B3
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 01A20025
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 01A20F54
.text C:\Windows\Explorer.EXE[1652] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 01A20098
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 01A30FEF
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 01A3003D
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 01A30062
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 01A30FC0
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 01A30000
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 01A3007D
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 01A3001B
.text C:\Windows\Explorer.EXE[1652] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 01A3002C
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!_open 766D7E48 5 Bytes JMP 01A80FE3
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 01A80FAB
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!system 7670B16F 5 Bytes JMP 01A80036
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 01A8001B
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 01A80FC6
.text C:\Windows\Explorer.EXE[1652] msvcrt.dll!_wopen 76710570 5 Bytes JMP 01A80000
.text C:\Windows\Explorer.EXE[1652] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 01AA0FEF
.text C:\Windows\Explorer.EXE[1652] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 01AA0FD4
.text C:\Windows\Explorer.EXE[1652] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 01AA0FC3
.text C:\Windows\Explorer.EXE[1652] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 01AA000A
.text C:\Windows\Explorer.EXE[1652] WS2_32.dll!socket 76C43F00 5 Bytes JMP 01A90000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1788] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1788] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00190F8A
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 00190115
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00190104
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 0019002C
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 001900B3
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00190FC0
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 0019008E
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0019007D
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00190130
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00190047
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 00190062
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00190FE5
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 001900CE
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 0019001B
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 001900F3
.text C:\Windows\system32\svchost.exe[2112] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00190FAF
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!_open 766D7E48 5 Bytes JMP 005A0FEF
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 005A005F
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!system 7670B16F 5 Bytes JMP 005A0FD4
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 005A0029
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 005A0044
.text C:\Windows\system32\svchost.exe[2112] msvcrt.dll!_wopen 76710570 5 Bytes JMP 005A0018
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 002A0FEF
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 002A0025
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 002A0051
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 002A0040
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 002A0FD4
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 002A0062
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 002A0FB9
.text C:\Windows\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[2112] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00600000
.text C:\Windows\system32\svchost.exe[2112] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00600FE5
.text C:\Windows\system32\svchost.exe[2112] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00600011
.text C:\Windows\system32\svchost.exe[2112] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 0060002C
.text C:\Windows\system32\svchost.exe[2112] WS2_32.dll!socket 76C43F00 5 Bytes JMP 005F0FE5
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 00070F2B
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 00070ED3
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00070EEE
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00070FB9
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 0007005E
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 00070F6B
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00070039
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 00070F7C
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 00070FDE
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00070EC2
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 00070FA8
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 00070F8D
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 00070F1A
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00070014
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 00070EFF
.text C:\Windows\System32\svchost.exe[3612] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 00070F5A
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00100000
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00100FB9
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!system 7670B16F 5 Bytes JMP 00100FD4
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00100044
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00100FEF
.text C:\Windows\System32\svchost.exe[3612] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00100029
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 00110000
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 00110033
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 0011005F
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 0011004E
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00110FE5
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00110070
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00110011
.text C:\Windows\System32\svchost.exe[3612] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00110022
.text C:\Windows\System32\svchost.exe[3612] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00160000
.text C:\Windows\System32\svchost.exe[3612] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00160025
.text C:\Windows\System32\svchost.exe[3612] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00160040
.text C:\Windows\System32\svchost.exe[3612] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 0016005B
.text C:\Windows\System32\svchost.exe[3612] WS2_32.dll!socket 76C43F00 5 Bytes JMP 00010000
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!GetStartupInfoA 75391DF0 5 Bytes JMP 000600F3
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateProcessW 7539202D 5 Bytes JMP 0006011F
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateProcessA 75392062 5 Bytes JMP 00060F8A
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateNamedPipeW 753C1FD6 5 Bytes JMP 00060036
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreatePipe 753C4A8B 5 Bytes JMP 000600D8
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!VirtualProtect 753D50AB 5 Bytes JMP 000600A2
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!LoadLibraryExW 753DB6BF 5 Bytes JMP 00060FC0
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!LoadLibraryExA 753DBC8B 5 Bytes JMP 0006007D
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateFileW 753E0B7D 5 Bytes JMP 0006001B
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!GetProcAddress 753E1857 5 Bytes JMP 00060F6F
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!LoadLibraryA 753E2884 5 Bytes JMP 0006005B
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!LoadLibraryW 753E28D2 5 Bytes JMP 0006006C
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateFileA 753E291C 5 Bytes JMP 0006000A
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!GetStartupInfoW 753E7CD5 5 Bytes JMP 00060104
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!CreateNamedPipeA 7541D5BF 5 Bytes JMP 00060FEF
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!WinExec 7541E76D 5 Bytes JMP 00060FA5
.text C:\Windows\system32\DllHost.exe[3964] kernel32.dll!VirtualProtectEx 7541F729 5 Bytes JMP 000600BD
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!_open 766D7E48 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 000F004E
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!system 7670B16F 5 Bytes JMP 000F0033
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 000F0018
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 000F0FC3
.text C:\Windows\system32\DllHost.exe[3964] msvcrt.dll!_wopen 76710570 5 Bytes JMP 000F0FDE
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 002C0FC0
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 002C0FAF
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 002C0047
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 002C0000
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 002C0F8A
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 002C001B
.text C:\Windows\system32\DllHost.exe[3964] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 002C002C
.text C:\Windows\system32\DllHost.exe[3964] WININET.dll!InternetOpenA 76CA7DDC 5 Bytes JMP 00520000
.text C:\Windows\system32\DllHost.exe[3964] WININET.dll!InternetOpenW 76CA9D60 5 Bytes JMP 00520FEF
.text C:\Windows\system32\DllHost.exe[3964] WININET.dll!InternetOpenUrlA 76CADBD8 5 Bytes JMP 00520025
.text C:\Windows\system32\DllHost.exe[3964] WININET.dll!InternetOpenUrlW 76CFDCB0 5 Bytes JMP 00520040
.text C:\Windows\System32\svchost.exe[4016] ntdll.dll!NtProtectVirtualMemory 76F65380 5 Bytes JMP 001D000A
.text C:\Windows\System32\svchost.exe[4016] ntdll.dll!NtWriteVirtualMemory 76F65F00 5 Bytes JMP 0036000A
.text C:\Windows\System32\svchost.exe[4016] ntdll.dll!KiUserExceptionDispatcher 76F66448 5 Bytes JMP 001C000A
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!_open 766D7E48 5 Bytes JMP 00100FE3
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!_wsystem 7670B04F 5 Bytes JMP 00100047
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!system 7670B16F 5 Bytes JMP 00100022
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!_creat 7670ED29 5 Bytes JMP 00100011
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!_wcreat 7671038E 5 Bytes JMP 00100FB2
.text C:\Windows\System32\svchost.exe[4016] msvcrt.dll!_wopen 76710570 5 Bytes JMP 00100000
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegOpenKeyA 7547D2ED 5 Bytes JMP 0011000A
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegCreateKeyA 7547D3C1 5 Bytes JMP 00110051
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegCreateKeyExA 75481B71 5 Bytes JMP 00110FAF
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegCreateKeyW 75481CC0 5 Bytes JMP 00110FC0
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegOpenKeyW 75483129 5 Bytes JMP 00110FEF
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegCreateKeyExW 7548B946 5 Bytes JMP 00110076
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegOpenKeyExA 7548BC0D 5 Bytes JMP 00110025
.text C:\Windows\System32\svchost.exe[4016] ADVAPI32.dll!RegOpenKeyExW 7548BEC4 5 Bytes JMP 00110036
.text C:\Windows\System32\svchost.exe[4016] ole32.dll!CoCreateInstance 7567590C 5 Bytes JMP 00F5000A
.text C:\Windows\System32\svchost.exe[4016] USER32.dll!GetCursorPos 765EC198 5 Bytes JMP 0060000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1796] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FC5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 862EA292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 862EA292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 862EA292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 862EA292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-3 862EA292

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP2T0L0-2 -> \??\IDE#DiskHitachi_HDS721050CLA362_________________JP2OA3EA#5&142989c9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4<-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:36 PM

Posted 13 December 2010 - 11:18 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:36 PM

Posted 16 December 2010 - 11:26 PM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:36 PM

Posted 20 December 2010 - 04:19 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users