Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus


  • Please log in to reply
4 replies to this topic

#1 JUSTgimme_aHAMMER

JUSTgimme_aHAMMER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 08 February 2011 - 12:03 AM

Hi I'm pretty new to this site, but it has worked for me before, so I am starting to build faith. I have spent about 6 hours trying to fix this, I'm not sure the cause.

Problem: When I use a search engine such as Google, my entry yeilds results, and when I click on any of the results, I am being redirected to some random site, most of the time it is another type of search engine. IN ADDITION to this, my MCAFEE software keeps populating the same 2 warnings. conhost.exe wants internet access, and crss.exe wants internet access.

Last night I had a trojan and MCAFEE caught it and supposedly removed it, causing a restart. I left the computer off and did not use it again until this afternoon. My browsing was fine until some facebook wining message came up when I was trying to click on something different, and I was not on facebook. I immediately tried to 'x' out of it, but some message poped up about "are you sure?...etc" so I hit ctrl-alt-del and end task to get out. The problem just grew from there.

I am running on Windows XP SP3

I have tried virus scans and deleting temporary files. So far nothing is working. Please help for the love...I am ready to just get a hammer to fix it!!!

Edited by Budapest, 08 February 2011 - 12:24 AM.
Moved from General Chat ~BP


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:19 AM

Posted 16 February 2011 - 01:28 PM

Hello and :welcome: to BleepingComputer.

Let's see what we're dealing with here.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
***************************************************

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 JUSTgimme_aHAMMER

JUSTgimme_aHAMMER
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 08 March 2011 - 05:09 PM

Hello, sorry for the long response. The above steps worked for me, however it has been a few weeks and now the google virus is back. I tried Rkill again which did not report it stopped anything. I ran MBAM and it did detect some things and removed them, but google is still redirecting. I found another users post on the subject and tried some of the steps from there. But now I am not sure what else needs to be done.

#4 JUSTgimme_aHAMMER

JUSTgimme_aHAMMER
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 08 March 2011 - 05:23 PM

Mbam log from 2/7/2011
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5709

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/7/2011 11:59:16 PM
mbam-log-2011-02-07 (23-59-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 226654
Time elapsed: 46 minute(s), 55 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\documents and settings\Shane\application data\dwm.exe (Trojan.Downloader) -> 804 -> No action taken.
c:\documents and settings\Shane\application data\microsoft\conhost.exe (Trojan.Downloader) -> 3220 -> No action taken.

Memory Modules Infected:
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ineufbr1v (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Downloader) -> Value: conhost -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Value: Shell -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bfajdnmx (Trojan.FakeAlert.Gen) -> Value: bfajdnmx -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Downloader) -> Bad: (C:\DOCUME~1\Shane\LOCALS~1\Temp\csrss.exe) Good: () -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Shane\application data\dwm.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Shane\application data\microsoft\conhost.exe (Trojan.Downloader) -> No action taken.
c:\Documents and Settings\Shane\Local Settings\Temp\csrss.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\Shane\local settings\Temp\msitcm.cpl (Rootkit.MBR) -> No action taken.
c:\system volume information\_restore{0362c142-db9b-46e7-a031-dd1852d15bf7}\RP567\A0265942.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{0362c142-db9b-46e7-a031-dd1852d15bf7}\RP567\A0265933.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{0362c142-db9b-46e7-a031-dd1852d15bf7}\RP567\A0266025.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{0362c142-db9b-46e7-a031-dd1852d15bf7}\RP567\A0266028.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{0362c142-db9b-46e7-a031-dd1852d15bf7}\RP568\A0266095.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\crt.dat (Malware.Trace) -> No action taken.







MBAM log from 3/5/2011
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5968

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/5/2011 5:10:59 PM
mbam-log-2011-03-05 (17-10-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 247196
Time elapsed: 57 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Shane\local settings\Temp\rterrd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Shane\local settings\Temp\kjghsad.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Shane\local settings\temporary internet files\Content.IE5\ZIRUMGLJ\ids2[1].htm (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Shane\start menu\spyware protection .lnk (Malware.Trace) -> Quarantined and deleted successfully.











I ran GMER based on another post I read and here is that log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-08 15:56:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200AAKS-00L9A0 rev.01.03E01
Running: ff8cy7ss.exe; Driver: C:\DOCUME~1\Shane\LOCALS~1\Temp\kgryqaow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB7EAF0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7EAF0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7EAF120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7EAF176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7EAF0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7EAF0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7EAF0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7EAF10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB7EAF14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7EAF136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7EAF1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7EAF18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7EAF160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7EAF164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B7EAF17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B7EAF190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B7EAF150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B7EAF0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B7EAF0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B7EAF1A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B7EAF13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B7EAF10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B7EAF0E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B7EAF0F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B7EAF124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B7EAF0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xB7F65314]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB20A4380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60000
.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50056
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F61
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F7C
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50F97
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B5007D
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50F35
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F1A
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B500B3
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B50F09
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B50039
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B50F46
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B5000A
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B50098
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BE005B
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0040
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0033
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0044
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[268] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[268] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[268] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00B70011
.text C:\WINDOWS\System32\svchost.exe[268] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00B70FB6
.text C:\WINDOWS\System32\svchost.exe[268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AA0000
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AA0011
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F65
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90064
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90F8A
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90FA5
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A9002C
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900AD
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A9009C
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A900CF
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A90F36
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A90F1B
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90047
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A90000
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A90075
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A90FC0
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90011
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A900BE
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0001B
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00062
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00000
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00047
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FA5
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C0002C
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0053
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FC8
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0038
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF000C
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FD9
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF001D
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AB001B
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00AB0036
.text C:\WINDOWS\System32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC000A
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050014
.text C:\WINDOWS\system32\services.exe[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F66
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F77
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040051
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040093
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F4B
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400D3
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400B8
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400E4
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040076
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F3A
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F6006C
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FA5
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60FC0
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
.text C:\WINDOWS\system32\services.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50055
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F5003A
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\services.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50029
.text C:\WINDOWS\system32\services.exe[1508] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1508] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[1508] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[1508] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\lsass.exe[1520] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[1520] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\system32\lsass.exe[1520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F77
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD005B
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F24
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EE7
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0EF8
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0ED6
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD006C
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F13
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10F76
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10F91
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C1003D
.text C:\WINDOWS\system32\lsass.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C1002C
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FB4
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00049
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00027
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00038
.text C:\WINDOWS\system32\lsass.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C0000C
.text C:\WINDOWS\system32\lsass.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[1520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[1520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\lsass.exe[1520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\lsass.exe[1520] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F48
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F63
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F7E
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60047
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60EFF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F1C
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60ED3
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60062
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60087
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F2D
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60EEE
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0F6F
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0011
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0FB2
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0018
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0029
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1716] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C8002F
.text C:\WINDOWS\system32\svchost.exe[1716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DE0FCA
.text C:\WINDOWS\system32\svchost.exe[1788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F5A
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F75
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0F86
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0043
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD001E
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0F1D
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F2E
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD00A5
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F0C
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0EF1
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0F97
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0FDE
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD0F49
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0FA8
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD0FCD
.text C:\WINDOWS\system32\svchost.exe[1788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD008A
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20F79
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20F8A
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20FA5
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\svchost.exe[1788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20FC0
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10FAD
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E10038
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E1001D
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FE3
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E10FC8
.text C:\WINDOWS\system32\svchost.exe[1788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DF0014
.text C:\WINDOWS\system32\svchost.exe[1788] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00DF002F
.text C:\WINDOWS\system32\svchost.exe[1788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\System32\svchost.exe[1832] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02820000
.text C:\WINDOWS\System32\svchost.exe[1832] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02820036
.text C:\WINDOWS\System32\svchost.exe[1832] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02820025
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02810FEF
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02810F8D
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02810082
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02810F9E
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02810FB9
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02810036
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0281009D
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02810F55
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028100C9
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02810F30
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02810F15
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0281005B
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0281000A
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02810F72
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02810FCA
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0281001B
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028100AE
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02860014
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02860F8D
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02860FCD
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02860FDE
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0286004A
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02860FEF
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02860F9E
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A6, 8A]
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02860025
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02850058
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!system 77C293C7 5 Bytes JMP 0285003D
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02850FDE
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02850FEF
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02850FCD
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0285000C
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02830FEF
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0283000A
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02830FCA
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 02830FB9
.text C:\WINDOWS\System32\svchost.exe[1832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02840FEF
.text C:\WINDOWS\system32\svchost.exe[1884] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1884] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C006C
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0047
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0F79
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F8A
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00A9
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0098
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00DF
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00CE
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0F35
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0087
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C0011
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0FC0
.text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C0F46
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A40022
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A40070
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A4005F
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A4004E
.text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A4003D
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0F9E
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FC3
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0018
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0033
.text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1884] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 007E001B
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D20000
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\System32\svchost.exe[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2001B
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10075
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F8A
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10064
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10047
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FC0
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10092
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F4A
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F03
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F1E
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10EF2
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10FA5
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10011
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F5B
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1002C
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\System32\svchost.exe[1900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F2F
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00025
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00047
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00036
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00F9E
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 88]
.text C:\WINDOWS\System32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FAF
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0058
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0047
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF001B
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0036
.text C:\WINDOWS\System32\svchost.exe[1900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1900] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1900] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\System32\svchost.exe[1900] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\System32\svchost.exe[1900] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00CE0014
.text C:\WINDOWS\System32\svchost.exe[1960] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00920FD4
.text C:\WINDOWS\System32\svchost.exe[1960] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00920FE5
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910F57
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00910F72
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F83
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910040
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00910F9E
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910F21
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910F32
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009100B3
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0091008E
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910EF5
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0091002F
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910FD4
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0091005D
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910FAF
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00910F10
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FCA
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960080
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0096001B
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0096000A
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960FB9
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00960FEF
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0096005B
.text C:\WINDOWS\System32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960040
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950FC3
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!system 77C293C7 5 Bytes JMP 0095004E
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FE5
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FD4
.text C:\WINDOWS\System32\svchost.exe[1960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950029
.text C:\WINDOWS\System32\svchost.exe[1960] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1960] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00930FD4
.text C:\WINDOWS\System32\svchost.exe[1960] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FC3
.text C:\WINDOWS\System32\svchost.exe[1960] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00930FB2
.text C:\WINDOWS\System32\svchost.exe[1960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940000
.text C:\WINDOWS\Explorer.EXE[2584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[2584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\Explorer.EXE[2584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F8B
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0080
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0FA6
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0FC3
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D004A
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00D3
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00B6
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00FF
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D00EE
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F4B
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0065
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D009B
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0025
.text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F70
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F9B
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0062
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0047
.text C:\WINDOWS\Explorer.EXE[2584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002D0FD2
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!system 77C293C7 5 Bytes JMP 002D005D
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002D001D
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002D000C
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002D0038
.text C:\WINDOWS\Explorer.EXE[2584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002D0FE3
.text C:\WINDOWS\Explorer.EXE[2584] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002F0FEF
.text C:\WINDOWS\Explorer.EXE[2584] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002F0FD4
.text C:\WINDOWS\Explorer.EXE[2584] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002F000A
.text C:\WINDOWS\Explorer.EXE[2584] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 002F0025
.text C:\WINDOWS\Explorer.EXE[2584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EA0FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[128] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[128] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ABEFAF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ABEFAF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8ABEFAF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8ABEFAF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 8ABEFAF1

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Device\Ide\IdeDeviceP0T1L0-3 -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#5&34fa4dfd&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625140190 (+144): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:19 AM

Posted 08 March 2011 - 05:39 PM

Hi JUSTgimme_aHAMMER, Posted Image

Step 1
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • Vista/Win7 users should right-click and select Run As Administrator.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.


Step 2
Please update MBAM and run another scan:

Last Database version is: 5993


Start MBAM
Click on the Update tab

Posted Image

Click Check for Updates

If it says that MBAM needs to close to update it... let it close and then restart.
Then click the Scan button.

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please submit:
TDSSKiller report
new MBAM report


Thanks.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users