Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect - Stopzilla, betterdeals


  • This topic is locked This topic is locked
28 replies to this topic

#1 timelapse

timelapse

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 15 September 2011 - 03:20 PM

Hi Guys, recently and more frequently google is redirecting me when I click a link. Would it be possible for you to take a peak at whats going on. Cheers.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
Run by Paolo@EdgeAV at 20:35:27 on 2011-09-15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2045.865 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
C:\Windows\system32\hasplms.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\Philips\Common Database\ProntoDataService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\System32\alg.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6071105
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110913212131.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\paolo@~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\paolo@edgeav\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\paolo@~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\OUTLOOK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: dyndns.ws\edgebanfield
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {AA25A56C-B654-4356-B390-DC3594B75C63} - hxxp://edgebanfield.dyndns.ws/codebase/HCNetVideoActiveX.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EA731827-6A93-4961-8249-7C224AF06BF1} : DhcpNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paolo@edgeav\appdata\roaming\mozilla\firefox\profiles\gvn7kyze.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-4 461864]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-9-7 64712]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-11-16 164776]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-9-24 21504]
R2 GsServer;GoodSync Server;c:\program files\siber systems\goodsync\Gs-Server.exe [2011-9-15 2813952]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-7 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-7 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-7 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-7 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-7 166024]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-7 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-9-7 148520]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 ProntoDataService;Pronto Data Server;c:\programdata\philips\common database\ProntoDataService.exe [2010-6-17 20480]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-5 179712]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-7 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-7 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-7 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-7 338040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FnetUsbDrv;FnetUsbDrv;c:\windows\system32\drivers\fnetusb.sys [2007-2-6 13696]
S3 libusb0;USB Kernel Driver;c:\windows\system32\drivers\libusb0.sys [2011-7-4 36456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-7 87808]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2007-5-14 46848]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\drivers\TEUSBMU.sys [2011-2-14 20992]
S3 URC_USB_SYNC_FW;URC USB Sync FW;c:\windows\system32\drivers\URC_USB_SYNC_FW.sys [2008-4-21 18944]
S3 VIRUSUSB;USB ASIO driver for Virus TI USB;c:\windows\system32\drivers\VirusUSB.sys [2010-5-27 389696]
S3 VTIAUDIO;Virus TI Audio;c:\windows\system32\drivers\vtiaudio.sys [2010-5-27 39488]
S3 VTIMIDEV01;Virus TI MIDI Driver;c:\windows\system32\drivers\vtimidi.sys [2010-5-12 56136]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Eaton IntelligentPowerManager;Eaton Intelligent Power Manager;c:\program files\eaton\intelligentpowermanager\mc2.exe [2011-7-4 3785003]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-4 30192]
S4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-7 84072]
S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-15 2296696]
.
=============== Created Last 30 ================
.
2011-09-13 20:21:28 28504 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2011-09-13 10:38:12 -------- d-----w- c:\users\paolo@edgeav\appdata\roaming\JAM Software
2011-09-13 10:38:06 -------- d-----w- c:\program files\JAM Software
2011-09-05 14:32:05 -------- d-----w- c:\users\paolo@edgeav\appdata\local\Apple
2011-09-05 14:25:44 -------- d-----w- c:\users\paolo@edgeav\appdata\local\Adobe
2011-08-30 08:58:31 -------- d-----w- c:\users\paolo@edgeav\appdata\local\Apple Computer
2011-08-27 07:29:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-27 07:29:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-26 09:22:24 388096 ----a-w- c:\users\paolo@edgeav\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-26 09:22:22 -------- d-----w- c:\program files\Trend Micro
2011-08-24 08:38:28 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-17 14:22:37 -------- d-----w- C:\DFR11EQ5
2011-08-17 14:22:10 26768 ----a-w- c:\windows\system\CTL3D.DLL
2011-08-17 14:22:10 248064 ----a-w- c:\windows\UNINST16.EXE
.
==================== Find3M ====================
.
2011-08-15 09:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 09:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 09:00:06 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 09:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 09:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 09:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 09:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 09:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 09:00:06 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 09:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-07-22 13:54:40 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-04 07:32:04 36456 ----a-w- c:\windows\system32\drivers\libusb0.sys
2011-06-21 15:49:52 834048 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 14:13:51 389632 ----a-w- c:\windows\system32\html.iec
2011-06-20 08:54:36 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54:36 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 20:13:55 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 20:36:32.07 ===============

BC AdBot (Login to Remove)

 


#2 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 15 September 2011 - 03:28 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-15 21:18:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD12 rev.01.0
Running: gmer.exe; Driver: C:\Users\PAOLO@~1\AppData\Local\Temp\kflyykow.sys


---- Kernel code sections - GMER 1.0.15 ----

.init :\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0xA0F37224]
.init :\Windows\system32\drivers\aksfridge.sys unknown last code section [0xA0F37000, 0x4000, 0xE20000E0]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA0FEFC20] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA0FEFC20]
.protect˙˙˙˙hardlockunknown last code section [0xA0FEFA00, 0x50CA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA0FEFA00, 0x50CA, 0xE0000020]
.text ntkrnlpa.exe!ZwYieldExecution 82443982 5 Bytes JMP 88643258 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetEvent + 1E9 824C496C 3 Bytes [EC, 8F, 41]
.text ntkrnlpa.exe!KeSetEvent + 3DD 824C4B60 3 Bytes [F1, 8F, 41]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CA04340, 0x345217, 0xE8000020]
.text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0xA0EE1000, 0x49379, 0xE0000020]
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA0F65400, 0x6EB98, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[212] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00780FEF
.text C:\Windows\system32\svchost.exe[212] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00780FB9
.text C:\Windows\system32\svchost.exe[212] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00780FCA
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00720080
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00720F44
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00720EFA
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 0072009B
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 0072006F
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00720FE5
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00720FD4
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00720F55
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 0072005E
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00720FB2
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00720FA1
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00720FC3
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00720F7A
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 007200AC
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0072001B
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00720000
.text C:\Windows\system32\svchost.exe[212] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00720F1F
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 007A0042
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!system 77AA804B 5 Bytes JMP 007A0FAD
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 007A0FD9
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!_open 77AAD106 5 Bytes JMP 007A0000
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 007A0FC8
.text C:\Windows\system32\svchost.exe[212] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 007A001D
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00770047
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00770FC0
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 0077000A
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00770FAF
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00770F94
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00770FDB
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 0077001B
.text C:\Windows\system32\svchost.exe[212] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 0077002C
.text C:\Windows\system32\svchost.exe[212] WS2_32.dll!socket 765636D1 5 Bytes JMP 00790FE5
.text C:\Windows\system32\svchost.exe[636] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[636] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[636] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 0008001B
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00070F21
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00070F46
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00070096
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00070EF5
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00070F83
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00070FC0
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00070F57
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00070051
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00070FA5
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00070F94
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00070036
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00070F68
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00070EE4
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00070FE5
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[636] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00070F06
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 000C0047
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!system 77AA804B 5 Bytes JMP 000C0FBC
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 000C0FD7
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!_open 77AAD106 5 Bytes JMP 000C0000
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 000C002C
.text C:\Windows\system32\svchost.exe[636] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 000C0011
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 000A003D
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 000A0011
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 000A0FE5
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 000A002C
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 000A0F8A
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 000A0FCA
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[636] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 000A0FA5
.text C:\Windows\system32\svchost.exe[636] WS2_32.dll!socket 765636D1 5 Bytes JMP 00090000
.text C:\Windows\system32\services.exe[764] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00060FE5
.text C:\Windows\system32\services.exe[764] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00060FB9
.text C:\Windows\system32\services.exe[764] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00060FCA
.text C:\Windows\system32\services.exe[764] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00080F66
.text C:\Windows\system32\services.exe[764] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00080F77
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00080F37
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 000800CE
.text C:\Windows\system32\services.exe[764] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 0008007D
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00080025
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00080036
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00080098
.text C:\Windows\system32\services.exe[764] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00080FAF
.text C:\Windows\system32\services.exe[764] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00080FC0
.text C:\Windows\system32\services.exe[764] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00080062
.text C:\Windows\system32\services.exe[764] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00080047
.text C:\Windows\system32\services.exe[764] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00080F92
.text C:\Windows\system32\services.exe[764] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 000800E9
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0008000A
.text C:\Windows\system32\services.exe[764] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00080FEF
.text C:\Windows\system32\services.exe[764] kernel32.dll!WinExec 766260CF 5 Bytes JMP 000800BD
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 001B0FB9
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 001B0040
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 001B005B
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 001B0FA8
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 001B0025
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 001B000A
.text C:\Windows\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 001B0FD4
.text C:\Windows\system32\services.exe[764] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 001C003F
.text C:\Windows\system32\services.exe[764] msvcrt.dll!system 77AA804B 5 Bytes JMP 001C0FB4
.text C:\Windows\system32\services.exe[764] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 001C001D
.text C:\Windows\system32\services.exe[764] msvcrt.dll!_open 77AAD106 5 Bytes JMP 001C0FE3
.text C:\Windows\system32\services.exe[764] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 001C002E
.text C:\Windows\system32\services.exe[764] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 001C0000
.text C:\Windows\system32\services.exe[764] WS2_32.dll!socket 765636D1 5 Bytes JMP 00070FEF
.text C:\Windows\system32\lsass.exe[776] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00210FEF
.text C:\Windows\system32\lsass.exe[776] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00210FD4
.text C:\Windows\system32\lsass.exe[776] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 0021000A
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00230F68
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 002300AE
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 002300E4
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00230F4D
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00230064
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00230FCA
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00230FAF
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00230093
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00230047
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 0023001B
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00230036
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00230F9E
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00230F79
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00230F32
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00230000
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00230FE5
.text C:\Windows\system32\lsass.exe[776] kernel32.dll!WinExec 766260CF 5 Bytes JMP 002300C9
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00240058
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00240FAC
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00240000
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 0024003D
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00240069
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00240022
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00240011
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00240FC7
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 003F0070
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!system 77AA804B 5 Bytes JMP 003F0055
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 003F003A
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!_open 77AAD106 5 Bytes JMP 003F000C
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\lsass.exe[776] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 003F0029
.text C:\Windows\system32\lsass.exe[776] WS2_32.dll!socket 765636D1 5 Bytes JMP 00220FE5
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00200FC3
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00200FD4
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 0022007A
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00220069
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 002200A6
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00220F19
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00220047
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00220FAF
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00220F3E
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00220F79
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 0022002C
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00220F8A
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00220011
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00220058
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00220EF4
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00220FCA
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[920] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00220095
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00240FA6
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!system 77AA804B 5 Bytes JMP 00240FB7
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00240FC8
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 0024001D
.text C:\Windows\system32\svchost.exe[920] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 0024000C
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00230FB9
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 0023004A
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 0023005B
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00230F9E
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00230025
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00230FDE
.text C:\Windows\system32\svchost.exe[920] WS2_32.dll!socket 765636D1 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 006A0000
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 006A002C
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 006A001B
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00930F1C
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00930F37
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 009300A2
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00930F0B
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00930F63
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 0093001B
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00930FC0
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00930062
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 0093003D
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00930F8A
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 0093002C
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00930FAF
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00930F52
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00930EE6
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[1024] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00930087
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00CE0031
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!system 77AA804B 5 Bytes JMP 00CE0F9C
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00CE0FD2
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00CE0FB7
.text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00CE0FE3
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 767A39AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00940FAF
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00940036
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 0094000A
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00940051
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00940F94
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00940FD4
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00940FE5
.text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00940025
.text C:\Windows\system32\svchost.exe[1024] WS2_32.dll!socket 765636D1 5 Bytes JMP 00920FEF
.text C:\Windows\System32\svchost.exe[1176] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 009F0FE5
.text C:\Windows\System32\svchost.exe[1176] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 009F0FCA
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00330F5A
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00330F6B
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00330F2E
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 003300C5
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00330F9E
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00330FD4
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00330025
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00330F7C
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 0033006C
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00330FAF
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 0033005B
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00330036
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00330F8D
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 003300E0
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0033000A
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00330FEF
.text C:\Windows\System32\svchost.exe[1176] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00330F3F
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00DF0F89
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!system 77AA804B 5 Bytes JMP 00DF000A
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00DF0FB5
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00DF0F9A
.text C:\Windows\System32\svchost.exe[1176] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00DF0FC6
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00A50F79
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00A50FAF
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00A50000
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00A50F94
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00A50F68
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00A50FDB
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00A50011
.text C:\Windows\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00A50FCA
.text C:\Windows\System32\svchost.exe[1176] WS2_32.dll!socket 765636D1 5 Bytes JMP 00A40FE5
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 01670000
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 01670FE5
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 0167001B
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 01550047
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 01550F01
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 01550087
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 01550EE6
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 01550F5C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 01550FAF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 01550F9E
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 01550F26
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 01550036
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 01550011
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 01550F79
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 01550000
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 01550F37
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 01550ED5
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 01550FCA
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 01550FE5
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!WinExec 766260CF 5 Bytes JMP 01550058
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 01750F92
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!system 77AA804B 5 Bytes JMP 01750FA3
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 0175001D
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_open 77AAD106 5 Bytes JMP 01750FEF
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 01750FBE
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 0175000C
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 01740047
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 0174002C
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 01740000
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 01740FA5
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 01740062
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 01740FD4
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 01740FE5
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 0174001B
.text C:\Windows\System32\svchost.exe[1220] WS2_32.dll!socket 765636D1 5 Bytes JMP 016F000A
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 011C0FEF
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 011C0FB9
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 011C0FDE
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 0116006C
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 0116005B
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 011600AC
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 01160F15
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 01160F5C
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 0116001B
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 01160FC0
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 01160F30
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 01160F77
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 01160040
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 01160F9E
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 01160FAF
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 01160F4B
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 011600BD
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0116000A
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 01160FEF
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!WinExec 766260CF 5 Bytes JMP 01160087
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 01280031
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!system 77AA804B 5 Bytes JMP 01280FB0
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 01280FC1
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_open 77AAD106 5 Bytes JMP 01280FE3
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 01280016
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 01280FD2
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 01230076
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 01230040
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 01230000
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 01230065
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 01230087
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 01230FEF
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 01230025
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 01230FD4
.text C:\Windows\system32\svchost.exe[1248] WS2_32.dll!socket 765636D1 5 Bytes JMP 011D0FEF
.text C:\Windows\system32\svchost.exe[1452] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[1452] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00350FD4
.text C:\Windows\system32\svchost.exe[1452] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00350FE5
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00340F5E
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00340F79
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00340F1E
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00340F43
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00340089
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 0034001B
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00340FCA
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00340F8A
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00340FAF
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 0034005B
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 0034006C
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00340040
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 0034009A
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 003400DA
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!WinExec 766260CF 5 Bytes JMP 003400BF
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00D60FA1
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!system 77AA804B 5 Bytes JMP 00D6002C
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00D60FCD
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00D60000
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00D60FBC
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00D60011
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00D50FC0
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00D5004E
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00D50FD1
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00D50F9B
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00D5002C
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00D5001B
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00D5003D
.text C:\Windows\system32\svchost.exe[1452] WS2_32.dll!socket 765636D1 5 Bytes JMP 00970FEF
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenA 7754D4AD 5 Bytes JMP 01130000
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenW 7754D80A 5 Bytes JMP 01130011
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 7754FE7B 5 Bytes JMP 01130FDB
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 77599189 5 Bytes JMP 0113002C
.text C:\Windows\system32\svchost.exe[1600] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1600] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00920025
.text C:\Windows\system32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 009100B8
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 009100A7
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 009100F5
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 009100E4
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00910FA8
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00910FDE
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 0091002F
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00910F7C
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00910082
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 0091004A
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00910065
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00910FC3
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00910F97
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00910110
.text C:\Windows

\system32\svchost.exe[1600] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!WinExec 766260CF 5 Bytes JMP 009100C9
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00D20047
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!system 77AA804B 5 Bytes JMP 00D20FBC
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00D20022
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00D20000
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00D20FCD
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00D20011
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00980047
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00980025
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 0098000A
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00980036
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00980058
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00980FCA
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00980FE5
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00980FB9
.text C:\Windows\system32\svchost.exe[1600] WS2_32.dll!socket 765636D1 5 Bytes JMP 00930FE5
.text C:\Program Files\Mozilla Firefox\firefox.exe[1724] ntdll.dll!LdrLoadDll 778C93A8 5 Bytes JMP 002F1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\system32\svchost.exe[1824] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 018D0FEF
.text C:\Windows\system32\svchost.exe[1824] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 018D000A
.text C:\Windows\system32\svchost.exe[1824] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 018D0FD4
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 018B00A9
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 018B008E
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 018B0F2D
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 018B0F3E
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 018B0051
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 018B0011
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 018B0FC0
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 018B0073
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 018B0F79
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 018B0F9B
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 018B0F8A
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 018B002C
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 018B0062
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 018B0F08
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 018B0FDB
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 018B0000
.text C:\Windows\system32\svchost.exe[1824] kernel32.dll!WinExec 766260CF 5 Bytes JMP 018B00BA
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 01900FD2
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!system 77AA804B 5 Bytes JMP 0190005D
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 01900038
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!_open 77AAD106 5 Bytes JMP 01900000
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 01900FE3
.text C:\Windows\system32\svchost.exe[1824] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 01900011
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 018F006C
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 018F0FCA
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 018F0000
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 018F005B
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 018F0091
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 018F0022
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 018F0011
.text C:\Windows\system32\svchost.exe[1824] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 018F0FDB
.text C:\Windows\system32\svchost.exe[1824] WS2_32.dll!socket 765636D1 5 Bytes JMP 018E0FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00040000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00040FD4
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00040FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 000100B3
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00010F63
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00010F26
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00010F41
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 0001007D
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 0001002C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00010FDB
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 0001008E
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00010FAF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00010051
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 0001006C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00010FCA
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!SetUnhandledExceptionFilter 765BA8C5 5 Bytes JMP 663C5B49 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00010F88
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 000100D8
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 0001001B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 0001000A
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00010F52
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00170FB2
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!system 77AA804B 5 Bytes JMP 00170033
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00170FDE
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00170FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00170FC3
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00170018
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00180062
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00180FDB
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00180000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00180FC0
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00180FA5
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 0018002C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00180011
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00180047
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] ole32.dll!OleLoadFromStream 76431E80 5 Bytes JMP 666E0DB5 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WS2_32.dll!socket 765636D1 5 Bytes JMP 00190FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!HttpOpenRequestA 7753FBBC 5 Bytes JMP 5CF64690 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetConnectA 77540692 5 Bytes JMP 5CF64790 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetCloseHandle 77542DB8 5 Bytes JMP 5CF643D0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetReadFile 775474B9 5 Bytes JMP 5CF644F0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetOpenA 7754D4AD 5 Bytes JMP 02D70000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetOpenW 7754D80A 5 Bytes JMP 02D70011
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetOpenUrlA 7754FE7B 5 Bytes JMP 02D70FD1
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1832] WININET.dll!InternetOpenUrlW 77599189 5 Bytes JMP 02D70022
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1904] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 6D589A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1904] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 6D5899A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[2300] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[2300] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00220025
.text C:\Windows\system32\svchost.exe[2300] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00200F1F
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00200065
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 002000A5
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00200F0E
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00200036
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00200FCA
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00200FB9
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00200F30
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00200F68
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00200025
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00200F83
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00200FA8
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00200F4B
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00200EF3
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00200FE5
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[2300] kernel32.dll!WinExec 766260CF 5 Bytes JMP 0020008A
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00290F9C
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!system 77AA804B 5 Bytes JMP 00290FAD
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00290FD9
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!_open 77AAD106 5 Bytes JMP 0029000C
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00290FBE
.text C:\Windows\system32\svchost.exe[2300] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 0029001D
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 0021002C
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 00210FAF
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00210F94
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00210F79
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00210FDB
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00210011
.text C:\Windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00210FC0
.text C:\Windows\system32\svchost.exe[2300] WS2_32.dll!socket 765636D1 5 Bytes JMP 00240FE5
.text C:\Windows\System32\svchost.exe[2336] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[2336] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe[2336] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00070FE5
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00050F1A
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00050056
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 00050096
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00050EFF
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00050F46
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00050FCD
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00050014
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00050F2B
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00050F61
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00050F8D
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00050F7C
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00050F9E
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 0005003B
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00050EEE
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00050FDE
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2336] kernel32.dll!WinExec 766260CF 5 Bytes JMP 0005007B
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00080FD1
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!system 77AA804B 5 Bytes JMP 00080066
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 0008003A
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_open 77AAD106 5 Bytes JMP 0008000C
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 0008004B
.text C:\Windows\System32\svchost.exe[2336] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00080029
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExA 767A39AB 3 Bytes JMP 00060FA1
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExA + 4 767A39AF 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyA 767A3BA9 3 Bytes JMP 00060028
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyA + 4 767A3BAD 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyA 767A89C7 3 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyA + 4 767A89CB 1 Byte [89]
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00060039
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 0006005E
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00060FCD
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00060FDE
.text C:\Windows\System32\svchost.exe[2336] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00060FBC
.text C:\Windows\Explorer.EXE[3340] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00040FEF
.text C:\Windows\Explorer.EXE[3340] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00040FB9
.text C:\Windows\Explorer.EXE[3340] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00040FD4
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00010F4D
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00010F72
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 000100BF
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 000100AE
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00010078
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 0001001B
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00010FCA
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00010F83
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00010067
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00010FA8
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 0001004A
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00010FB9
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00010089
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00010F0D
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[3340] kernel32.dll!WinExec 766260CF 5 Bytes JMP 00010F32
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyExA 767A39AB 3 Bytes JMP 00060054
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyExA + 4 767A39AF 1 Byte [89]
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyA 767A3BA9 3 Bytes JMP 00060FB2
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyA + 4 767A3BAD 1 Byte [89]
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyA 767A89C7 3 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyA + 4 767A89CB 1 Byte [89]
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 00060043
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 00060F8D
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 00060FC3
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 00060FDE
.text C:\Windows\Explorer.EXE[3340] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00060014
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00070031
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!system 77AA804B 5 Bytes JMP 00070FA6
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00070FC1
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00070016
.text C:\Windows\Explorer.EXE[3340] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00070FD2
.text C:\Windows\Explorer.EXE[3340] WS2_32.dll!socket 765636D1 5 Bytes JMP 036E0FEF
.text C:\Windows\Explorer.EXE[3340] WININET.dll!InternetOpenA 7754D4AD 5 Bytes JMP 03BA0000
.text C:\Windows\Explorer.EXE[3340] WININET.dll!InternetOpenW 7754D80A 5 Bytes JMP 03BA0FE5
.text C:\Windows\Explorer.EXE[3340] WININET.dll!InternetOpenUrlA 7754FE7B 5 Bytes JMP 03BA0011
.text C:\Windows\Explorer.EXE[3340] WININET.dll!InternetOpenUrlW 77599189 5 Bytes JMP 03BA002C
.text C:\Windows\system32\svchost.exe[3500] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00040FEF
.text C:\Windows\system32\svchost.exe[3500] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00040014
.text C:\Windows\system32\svchost.exe[3500] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00040FDE
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 000100A1
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00010090
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 000100CD
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00010F36
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00010F8A
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00010022
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00010FC7
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00010F6F
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00010064
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00010FA5
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00010FB6
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 0001007F
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 00010F1B
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00010011
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[3500] kernel32.dll!WinExec 766260CF 5 Bytes JMP 000100B2
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00060F90
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!system 77AA804B 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00060FBC
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!_open 77AAD106 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00060FA1
.text C:\Windows\system32\svchost.exe[3500] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00060000
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 000B0076
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 000B0FDE
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 000B0000
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegCreateKeyW 767B391E 5 Bytes JMP 000B0065
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegCreateKeyExW 767B41F1 5 Bytes JMP 000B0087
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegOpenKeyExA 767B7C42 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegOpenKeyW 767BE2B5 5 Bytes JMP 000B0025
.text C:\Windows\system32\svchost.exe[3500] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 000B004A
.text C:\Windows\system32\svchost.exe[3500] WS2_32.dll!socket 765636D1 5 Bytes JMP 000C0FEF
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4760] USER32.dll!SetWindowLongA 773CE7CD 5 Bytes JMP 67C9A800 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4760] USER32.dll!SetWindowLongW 773D13B4 5 Bytes JMP 67C9A792 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4760] USER32.dll!GetWindowInfo 773D428E 5 Bytes JMP 67AA229C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4760] USER32.dll!TrackPopupMenu 773E14F3 5 Bytes JMP 67AA2861 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\svchost.exe[4772] ntdll.dll!NtCreateFile 77904224 5 Bytes JMP 00040FE5
.text C:\Windows\system32\svchost.exe[4772] ntdll.dll!NtCreateProcess 779042E4 5 Bytes JMP 00040FB9
.text C:\Windows\system32\svchost.exe[4772] ntdll.dll!NtProtectVirtualMemory 77904B84 5 Bytes JMP 00040FCA
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!GetStartupInfoW 76591929 5 Bytes JMP 00010F5A
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!GetStartupInfoA 765919C9 5 Bytes JMP 00010096
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateProcessW 76591BF3 5 Bytes JMP 000100CC
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateProcessA 76591C28 5 Bytes JMP 00010F35
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!VirtualProtect 76591DC3 5 Bytes JMP 00010F6B
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateNamedPipeA 76592EF5 5 Bytes JMP 00010FC3
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateNamedPipeW 76595C0C 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreatePipe 765B8F06 5 Bytes JMP 00010085
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!LoadLibraryExW 765B927C 5 Bytes JMP 00010F86
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!LoadLibraryW 765B9400 5 Bytes JMP 00010F97
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!LoadLibraryExA 765B9554 5 Bytes JMP 00010043
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!LoadLibraryA 765B957C 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!VirtualProtectEx 765BDC52 5 Bytes JMP 00010060
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!GetProcAddress 765D925B 5 Bytes JMP 000100DD
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateFileW 765DB0EB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!CreateFileA 765DD07F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[4772] kernel32.dll!WinExec 766260CF 5 Bytes JMP 000100BB
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!_wsystem 77AA7F2F 5 Bytes JMP 00060FB9
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!system 77AA804B 5 Bytes JMP 00060044
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!_creat 77AABBE1 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!_open 77AAD106 5 Bytes JMP 0006000C
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!_wcreat 77AAD326 5 Bytes JMP 00060FD4
.text C:\Windows\system32\svchost.exe[4772] msvcrt.dll!_wopen 77AAD501 5 Bytes JMP 00060029
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyExA 767A39AB 5 Bytes JMP 00070F94
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyA 767A3BA9 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyA 767A89C7 5 Bytes JMP 00070FE5
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyW 767B391E 3 Bytes JMP 00070036
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyW + 4 767B3922 1 Byte [89]
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyExW 767B41F1 3 Bytes JMP 0007005B
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegCreateKeyExW + 4 767B41F5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyExA 767B7C42 3 Bytes JMP 00070FCA
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyExA + 4 767B7C46 1 Byte [89]
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyW 767BE2B5 3 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyW + 4 767BE2B9 1 Byte [89]
.text C:\Windows\system32\svchost.exe[4772] ADVAPI32.dll!RegOpenKeyExW 767C7BA1 5 Bytes JMP 00070FB9
.text C:\Windows\system32\svchost.exe[4772] WS2_32.dll!socket 765636D1 5 Bytes JMP 00080000

---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\PAOLO@~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x88643268]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x88643292]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8864327E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x88643254]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Device \Driver\disk \Device\Harddisk0\DR0 aksfridge.sys

INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82418FF6

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 82609143 5 Bytes JMP 88643296 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8262889A 7 Bytes JMP 8864326C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82628B5D 5 Bytes JMP 88643282 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{1CEC164E-47A1-F17E-12CD-7DF03EF50283}\Server
Reg HKLM\SOFTWARE\Classes\CLSID\{2F583FD0-FCD7-0CC2-FD8E-1D2C12AC0BA6}\Server
Reg HKLM\SOFTWARE\Classes\CLSID\{4C01CE4A-BE6F-DC10-6DAA-00311BC2E21E}\Server
Reg HKLM\SOFTWARE\Classes\CLSID\{8F8C955A-9F52-3E99-8C88-850566D02586}\Server

SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x82418FEC]
SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82418FEC] ZwCreateKey [0x82418FEC]
SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x82418FF1]
SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82418FF1] ZwOpenKey [0x82418FF1]

---- EOF - GMER 1.0.15 ----

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 20 September 2011 - 09:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 27 September 2011 - 08:41 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 AM

Posted 28 September 2011 - 10:48 AM

Re-opened per OP PM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 28 September 2011 - 01:19 PM

timelapse

I'm listening.

Please post the logs I requested.

#7 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 29 September 2011 - 12:58 AM

Good Morning guys, apologies for missing the for first response. Thanks again for your time and pateience. I appreciate it is streched.

as requested.


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-28 09:27:55
-----------------------------
09:27:55.224 OS Version: Windows 6.0.6002 Service Pack 2
09:27:55.225 Number of processors: 2 586 0xF0D
09:27:55.226 ComputerName: PAOLOEDGEAV-PC UserName: Paolo@EdgeAV
09:28:28.129 Initialize success
09:29:59.410 AVAST engine defs: 11092701
09:30:26.302 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
09:30:26.306 Disk 0 Vendor: WDC_WD12 01.0 Size: 114473MB BusType: 3
09:30:26.338 Disk 0 MBR read successfully
09:30:26.342 Disk 0 MBR scan
09:30:26.349 Disk 0 Windows VISTA default MBR code
09:30:26.355 Disk 0 scanning sectors +234438656
09:30:26.537 Disk 0 scanning C:\Windows\system32\drivers
09:31:13.189 Service scanning
09:31:15.204 Modules scanning
09:31:21.578 Disk 0 trace - called modules:
09:31:21.600 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
09:31:21.605 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867729c8]
09:31:21.609 3 CLASSPNP.SYS[88bc78b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85624030]
09:31:23.683 AVAST engine scan C:\Windows
09:31:33.030 AVAST engine scan C:\Windows\system32
09:36:10.892 AVAST engine scan C:\Windows\system32\drivers
09:36:28.403 AVAST engine scan C:\Users\Paolo@EdgeAV
09:55:30.323 AVAST engine scan C:\ProgramData
09:58:37.026 Scan finished successfully
10:38:02.867 Disk 0 MBR has been saved successfully to "C:\Users\Paolo@EdgeAV\Documents\MBR.dat"
10:38:02.896 The log file has been saved successfully to "C:\Users\Paolo@EdgeAV\Documents\aswMBR.txt"



TDSSKiller reported no errors.

Paolo.

Attached File  MBR.zip   575bytes   0 downloads

Edited by timelapse, 29 September 2011 - 01:00 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 29 September 2011 - 07:18 AM

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • Then please choose Security level: Recommended and perform the following actions.
    Posted Image
  • Click the Start scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Post the log and let me know what problem persists.

#9 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 02 October 2011 - 05:48 AM

Hi, thanks, here are the results (attached) for AVPT . I couldn't find the detected section you mentioned so i have included the whole text file. below is the combofix results. Do i need to do anythin else? I have a scrict debugg window that pops up every now and again?

ComboFix 11-09-29.06 - Paolo@EdgeAV 29/09/2011 18:25:46.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2045.1211 [GMT 1:00]
Running from: c:\users\Paolo@EdgeAV\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Eaton\IntelligentPowerManager\mc2.exe
c:\users\Paolo@EdgeAV\AppData\Local\{BD12B58E-8158-4C0A-9CBF-93C04A9BB331}
c:\users\Paolo@EdgeAV\AppData\Local\{BD12B58E-8158-4C0A-9CBF-93C04A9BB331}\chrome.manifest
c:\users\Paolo@EdgeAV\AppData\Local\{BD12B58E-8158-4C0A-9CBF-93C04A9BB331}\chrome\content\_cfg.js
c:\users\Paolo@EdgeAV\AppData\Local\{BD12B58E-8158-4C0A-9CBF-93C04A9BB331}\chrome\content\overlay.xul
c:\users\Paolo@EdgeAV\AppData\Local\{BD12B58E-8158-4C0A-9CBF-93C04A9BB331}\install.rdf
c:\users\Paolo@EdgeAV\AppData\Local\ApplicationHistory
c:\users\Paolo@EdgeAV\AppData\Local\ApplicationHistory\device_manager.exe.eae630d7.ini
c:\users\Paolo@EdgeAV\AppData\Local\ApplicationHistory\NV-I8G and NV-E6G Configurator.exe.ef327ac8.ini
c:\users\Paolo@EdgeAV\AppData\Local\ApplicationHistory\promqryui.exe.cb4f4ab8.ini
c:\users\Paolo@EdgeAV\AppData\Roaming\WD
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Eaton IntelligentPowerManager
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
.
.
2011-09-29 17:36 . 2011-09-29 17:40 -------- d-----w- c:\users\Paolo@EdgeAV\AppData\Local\temp
2011-09-29 17:36 . 2011-09-29 17:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-29 13:03 . 2011-09-29 13:03 -------- d-----w- c:\programdata\Kaspersky Lab
2011-09-22 09:14 . 2011-09-22 09:17 -------- d-----w- c:\program files\Systemline PC Link
2011-09-20 15:45 . 2011-09-20 15:45 -------- d--h--w- c:\users\Paolo@EdgeAV\_gsdata_
2011-09-16 09:40 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-09-13 20:21 . 2011-08-19 14:56 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-09-13 10:38 . 2011-09-13 10:38 -------- d-----w- c:\users\Paolo@EdgeAV\AppData\Roaming\JAM Software
2011-09-13 10:38 . 2011-09-13 10:38 -------- d-----w- c:\program files\JAM Software
2011-09-05 14:32 . 2011-09-05 14:32 -------- d-----w- c:\users\Paolo@EdgeAV\AppData\Local\Apple
2011-09-05 14:25 . 2011-09-15 20:52 -------- d-----w- c:\users\Paolo@EdgeAV\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-22 09:14 . 2010-11-18 10:46 249856 ------w- c:\windows\Setup1.exe
2011-09-22 09:14 . 2010-11-18 10:46 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-08-26 09:22 . 2011-08-26 09:22 388096 ----a-w- c:\users\Paolo@EdgeAV\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-15 09:00 . 2010-11-16 15:08 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 09:00 . 2010-09-07 18:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 09:00 . 2010-09-07 18:57 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 09:00 . 2010-09-07 18:57 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 09:00 . 2010-09-07 18:57 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 09:00 . 2010-09-07 18:57 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 09:00 . 2010-09-07 18:57 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 09:00 . 2010-09-07 18:57 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 09:00 . 2010-05-31 19:32 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-08-15 09:00 . 2007-11-04 16:35 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-07-22 13:54 . 2011-08-09 19:36 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-21 07:57 . 2011-07-15 13:38 0 ----a-w- c:\users\Paolo@EdgeAV\AppData\Local\Arovakizaxifivu.bin
2011-07-11 13:25 . 2011-08-24 08:38 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 18:52 . 2011-07-21 20:21 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-07-21 20:21 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 15:31 . 2011-08-09 19:36 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-04 07:32 . 2011-07-04 07:32 36456 ----a-w- c:\windows\system32\drivers\libusb0.sys
2011-09-13 18:49 . 2011-06-27 20:28 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 13:01 . 2010-10-11 10:42 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-29 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-26 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-26 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-26 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-26 8433664]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-09 1317016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\users\Paolo@EdgeAV\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2011-7-27 13002608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 03:06 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 16:43 118784 ----a-w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 12:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-07-30 19:40 16384 ----a-w- c:\dell\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-07 19:21 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 16:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 18:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 16:10 184320 ----a-w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 11:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FnetUsbDrv;FnetUsbDrv;c:\windows\system32\DRIVERS\fnetusb.sys [2007-02-06 13696]
R3 libusb0;USB Kernel Driver;c:\windows\system32\DRIVERS\libusb0.sys [2011-07-04 36456]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCND532.sys [2007-05-14 46848]
R3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\Drivers\TEUSBMU.sys [2009-11-13 20992]
R3 URC_USB_SYNC_FW;URC USB Sync FW;c:\windows\system32\Drivers\URC_USB_SYNC_FW.sys [2008-04-21 18944]
R3 VIRUSUSB;USB ASIO driver for Virus TI USB;c:\windows\system32\Drivers\VirusUSB.sys [2010-05-27 389696]
R3 VTIAUDIO;Virus TI Audio;c:\windows\system32\drivers\vtiaudio.sys [2010-05-27 39488]
R3 VTIMIDEV01;Virus TI MIDI Driver;c:\windows\system32\drivers\vtimidi.sys [2010-05-12 56136]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-07 30192]
R4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-13 84072]
R4 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-03-01 2296696]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S2 GsServer;GoodSync Server;c:\program files\Siber Systems\GoodSync\Gs-Server.exe [2011-09-15 2813952]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-08-19 148520]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 ProntoDataService;Pronto Data Server;c:\programdata\Philips\Common Database\ProntoDataService.exe [2010-06-17 20480]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 179712]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-14 c:\windows\Tasks\GoodSync - nas.job
- c:\program files\Siber Systems\GoodSync\GoodSync.exe [2011-09-15 07:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: dyndns.ws\edgebanfield
TCP: DhcpNameServer = 192.168.1.254
DPF: {AA25A56C-B654-4356-B390-DC3594B75C63} - hxxp://edgebanfield.dyndns.ws/codebase/HCNetVideoActiveX.cab
FF - ProfilePath - c:\users\Paolo@EdgeAV\AppData\Roaming\Mozilla\Firefox\Profiles\gvn7kyze.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Eaton Systray Launcher - c:\program files\Eaton\IntelligentPowerManager\mc2.exe
AddRemove-Eaton IntelligentPowerManager - c:\program files\Eaton\IntelligentPowerManager\mc2.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2160)
c:\users\Paolo@EdgeAV\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\hasplms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-29 18:56:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-29 17:55
.
Pre-Run: 38,079,819,776 bytes free
Post-Run: 37,830,684,672 bytes free
.
- - End Of File - - B9C245B670C79F049F36D7392493BE5B

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 02 October 2011 - 09:13 AM

Your log is clean.

I have a scrict debugg window that pops up every now and again?


You can disable these script debugging messages in Internet Explorer.

Tools->Internet Options…->Advanced->Disable Script Debugging (Internet Explorer)
Tools->Internet Options…->Advanced->Disable Script Debugging (Other)


You may need to apply these changes before closing the tool option.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any pending issues.

#11 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 October 2011 - 03:36 AM

Hi, Thanks again. Really appreciate all this help.

Results of screen317's Security Check version 0.99.20
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee Total Protection
Virus TI Software Suite
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java™ SE Runtime Environment 6
Out of date Java installed!
Adobe Flash Player 10.3.181.14
Mozilla Firefox (Player..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#12 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 October 2011 - 08:06 AM

Hi, this is the script debugging window that pops up (attached)Attached File  popup.jpg   25.36KB   4 downloads. I dont use IE, these windows pop up at random times.. Will turning it off in the IE options have an effect?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:56 AM

Posted 03 October 2011 - 08:29 AM

You can disable these script debugging messages in Internet Explorer.

Tools->Internet Options…->Advanced->Disable Script Debugging (Internet Explorer)
Tools->Internet Options…->Advanced->Disable Script Debugging (Other)


Make sure the these options if Internet Explorer are NOT checked.

===

Let me know if the error persists.

#14 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 October 2011 - 09:18 AM

Ok, I'll let you know how i get on

#15 timelapse

timelapse
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 05 October 2011 - 04:34 AM

Hello there, i'm afraid i'm still getting this debugg pop-up. when i click no it pos up again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users