Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans & Browser Redirects


  • Please log in to reply
3 replies to this topic

#1 Tim111

Tim111

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 05 November 2011 - 10:17 AM

Hello All,
This past week I have been fighting an infection. I have run scans using Emsisoft Anti-Malware, Malware Bytes, Spobot Search & Destroy, Super Anti-Spyware, Mcafee and TDSSkiller. They have pulled out a few trojans but are now coming up empty and I still have a browser redirect and also can't save a downloaded file after I click a download link.

After reading a few similar posts I ran a scan using RKUnhooker. The log is posted below. Please help me. I'm about ready to throw the windows disc in and say F it....

EDIT:
I removed the log. Apparently I am not supposed to post logs until asked to do so. Sorry. Also, I am running XP with the latest service packs and up to date Java.

Edited by Tim111, 05 November 2011 - 12:20 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 05 November 2011 - 08:41 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Tim111

Tim111
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 November 2011 - 08:45 AM

Thanks for helping me with this!!!

Here are the requested logs:

Checkup.txt

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee Total Protection
McAfee Online Backup
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
Java™ 6 Update 29
Java 2 Runtime Environment, SE v1.4.2_19
Adobe Flash Player 11.0.1.152
Adobe Reader X (10.1.0) Adobe Reader Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee Online Backup MOBKbackup.exe
``````````End of Log````````````

Mini toolbox Log:

MiniToolBox by Farbar
Ran by Timothy Grace (administrator) on 07-11-2011 at 11:54:54
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 15072 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : TimsComputer

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-12-3F-4A-5D-28

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.103

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday, November 07, 2011 11:43:25 AM

Lease Expires . . . . . . . . . . : Monday, November 14, 2011 11:43:25 AM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.226.244, 74.125.226.243, 74.125.226.240, 74.125.226.242
74.125.226.241



Pinging google.com [74.125.226.241] with 32 bytes of data:



Reply from 74.125.226.241: bytes=32 time=37ms TTL=55

Reply from 74.125.226.241: bytes=32 time=36ms TTL=55



Ping statistics for 74.125.226.241:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 36ms, Maximum = 37ms, Average = 36ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 72.30.2.43, 98.137.149.56
98.139.180.149



Pinging yahoo.com [98.139.180.149] with 32 bytes of data:



Reply from 98.139.180.149: bytes=32 time=95ms TTL=49

Reply from 98.139.180.149: bytes=32 time=96ms TTL=49



Ping statistics for 98.139.180.149:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 95ms, Maximum = 96ms, Average = 95ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=48

Reply from 127.0.0.1: bytes=32 time<1ms TTL=48



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 12 3f 4a 5d 28 ...... Broadcom NetXtreme 57xx Gigabit Controller - McAfee Core NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.103 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.103 192.168.0.103 20
192.168.0.0 255.255.255.0 192.168.0.103 192.168.0.103 20
192.168.0.103 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.103 192.168.0.103 20
224.0.0.0 240.0.0.0 192.168.0.103 192.168.0.103 20
255.255.255.255 255.255.255.255 192.168.0.103 192.168.0.103 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/05/2011 09:33:54 AM) (Source: MsiInstaller) (User: Timothy Grace)Timothy Grace
Description: Product: Java™ 6 Update 29 -- Error 1704.An installation for Kaspersky Internet Security 2012 is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Error: (11/04/2011 11:04:00 AM) (Source: Application Hang) (User: )
Description: Hanging application acad.exe, version 23.0.54.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/02/2011 11:49:27 AM) (Source: Application Hang) (User: )
Description: Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/01/2011 04:08:09 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:09 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:56 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:51 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:49 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.


System errors:
=============
Error: (11/07/2011 11:43:35 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
KLIF

Error: (11/07/2011 11:27:19 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
KLIF

Error: (11/05/2011 01:10:58 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Online Backup service terminated unexpectedly. It has done this 1 time(s).

Error: (11/05/2011 01:09:12 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
KLIF

Error: (11/05/2011 01:06:48 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (11/05/2011 11:22:10 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/05/2011 11:22:10 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/05/2011 11:22:10 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/05/2011 11:22:10 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (11/05/2011 11:22:10 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service McNaiAnn with arguments ""
in order to run the server:
{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}


Microsoft Office Sessions:
=========================
Error: (11/05/2011 09:33:54 AM) (Source: MsiInstaller)(User: Timothy Grace)Timothy Grace
Description: Product: Java™ 6 Update 29 -- Error 1704.An installation for Kaspersky Internet Security 2012 is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?(NULL)(NULL)(NULL)

Error: (11/04/2011 11:04:00 AM) (Source: Application Hang)(User: )
Description: acad.exe23.0.54.0hungapp0.0.0.000000000

Error: (11/02/2011 11:49:27 AM) (Source: Application Hang)(User: )
Description: SpybotSD.exe1.6.2.46hungapp0.0.0.000000000

Error: (11/01/2011 04:08:09 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:09 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:08:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:56 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:51 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (11/01/2011 04:07:49 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.


=========================== Installed Programs ============================

ABBYY FineReader 6.0 Sprint (Version: 6.00.1395.4512)
Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
Adobe Acrobat 6.0 Professional (Version: 006.000.000)
Adobe AIR (Version: 1.5.3.9120)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge 1.0 (Version: 001.000.000)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 10 ActiveX (Version: 10.3.183.10)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Help Center 1.0 (Version: 001.000.000)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Reader X (10.1.0) (Version: 10.1.0)
Adobe Stock Photos 1.0 (Version: 001.000.000)
Apple Application Support (Version: 1.2.1)
Apple Mobile Device Support (Version: 2.6.0.32)
Apple Software Update (Version: 2.1.1.116)
ArcSoft MediaImpression
ATI - Software Uninstall Utility (Version: 6.14.10.1015)
ATI Catalyst Control Center (Version: 1.2.2400.31026)
ATI Display Driver (Version: 8.263.5.1-060607a-035600C-Dell)
AutoCAD 2007 - English (Version: 17.0.54.110)
Autodesk DWF Viewer (Version: 6.5)
Bonjour (Version: 1.0.106)
Broadcom Gigabit Integrated Controller (Version: 8.10.07)
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Epson Copy Utility 3.5 (Version: 3.5.0.0)
Epson Event Manager (Version: 2.30.01)
EPSON Perfection V30/V300 Photo Scanner Driver Update
EPSON Scan
Google Earth (Version: 6.0.3.2197)
Google Update Helper (Version: 1.3.21.79)
iTunes (Version: 9.0.2.25)
Java 2 Runtime Environment, SE v1.4.2_19 (Version: 1.4.2_19)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
LightScribe System Software (Version: 1.18.10.2)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee Online Backup
McAfee Online Backup (Version: 1.16.4.0)
McAfee Total Protection (Version: 11.0.623)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Word Viewer 2003 (Version: 11.0.8173.0)
Microsoft Office XP Small Business (Version: 10.0.2627.01)
Mozilla Firefox (3.6.23) (Version: 3.6.23 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
QuickTime (Version: 7.66.71.0)
Roxio DLA (Version: 5.2.0)
SoundMAX (Version: 5.12.01.5246)
SUPERAntiSpyware (Version: 5.0.1134)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 20%
Total physical RAM: 2046.07 MB
Available physical RAM: 1620.65 MB
Total Pagefile: 3938.47 MB
Available Pagefile: 3426.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.96 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:37.2 GB) (Free:22.19 GB) NTFS
4 Drive z: () (Network) (Total:48.47 GB) (Free:38.5 GB) NTFS

========================= Users: ========================================

User accounts for \\TIMSCOMPUTER

Administrator Guest HelpAssistant
SUPPORT_388945a0 Timothy


**** End of log ****



Malware Bytes Log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8107

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2011 12:03:31 PM
mbam-log-2011-11-07 (12-03-31).txt

Scan type: Quick scan
Objects scanned: 158061
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 08:37:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST340014AS rev.8.12
Running: dgbgrq4v.exe; Driver: C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\pxdyypog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xBA6A4290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xBA6A42A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBA6A42D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA6A4326]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xBA6A427C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xBA6A4254]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xBA6A4268]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xBA6A42BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xBA6A42FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xBA6A42E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBA6A4350]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA6A433C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA6A4310]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP BA6A4314 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP BA6A432A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP BA6A4340 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05F8 5 Bytes JMP BA6A4300 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP BA6A4258 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP BA6A426C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP BA6A4354 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP BA6A42EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP BA6A42BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP BA6A4294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP BA6A42A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP BA6A42D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP BA6A4280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9B3BF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0F83
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0F94
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0FAF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0FC0
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0051
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE00C1
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE00A4
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0F43
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0F54
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE00F7
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0062
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0093
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0036
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE0025
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE00D2
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60065
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F6002F
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60F9E
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F60040
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F1004B
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1003A
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10029
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F6B
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F3F
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00C7
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F2E
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F09
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F5A
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00AC
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90FB2
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90014
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9006F
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FB7
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0038
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD001D
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FC8
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AF0014
.text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE0F97
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE008C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE0FB2
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0FC3
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE004A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE00D5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE00B8
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE0F57
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE00F0
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE0F46
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE0065
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE0FDE
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE00A7
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE002F
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE0014
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE0F72
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20043
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B20F86
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B20FA1
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D2, 88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B20FB2
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B10050
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B1003F
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B1001D
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B1002E
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B10FE3
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1348] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[1348] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B40011
.text C:\WINDOWS\system32\svchost.exe[1348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B30F68
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B30F8D
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B3005B
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B30F9E
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30FAF
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30F46
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B30F57
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B30F10
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B300A9
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B30EF5
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30011
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30082
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B30FC0
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30FDB
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B30F2B
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20F97
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B20040
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20025
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B20FB2
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D2, 88]
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50044
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50018
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50029
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50090
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50075
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50F9B
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50FB6
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C5003D
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F65
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C500A1
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F14
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F2F
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C500C8
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50058
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F76
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5002C
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50011
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F54
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD005B
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD004A
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0F9E
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\system32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0025
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80069
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C8000C
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C8004E
.text C:\WINDOWS\system32\svchost.exe[1392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80029
.text C:\WINDOWS\system32\svchost.exe[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 025F0FEF
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 025F0FCA
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 025F0000
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025E0000
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025E0073
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025E0062
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025E0F94
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025E0051
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025E0040
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025E009F
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025E0084
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025E00CB
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025E0F32
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025E00E6
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025E0FB9
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025E0FE5
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025E0F59
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025E0025
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025E0FD4
.text C:\WINDOWS\System32\svchost.exe[1516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025E00B0
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02840FC3
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0284004A
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02840FD4
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02840FE5
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0284002F
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02840000
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02840F8D
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A4, 8A]
.text C:\WINDOWS\System32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02840FA8
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02830FA3
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 02830FBE
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0283001D
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0283000C
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0283002E
.text C:\WINDOWS\System32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02830FEF
.text C:\WINDOWS\System32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02820FEF
.text C:\WINDOWS\System32\svchost.exe[1516] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02600FE5
.text C:\WINDOWS\System32\svchost.exe[1516] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02600000
.text C:\WINDOWS\System32\svchost.exe[1516] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02600FC0
.text C:\WINDOWS\System32\svchost.exe[1516] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02600FAF
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FCA
.text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0063006A
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630F6B
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630F7C
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630F8D
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300AC
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00630F5A
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630F35
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006300CE
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006300E9
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630FA8
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630085
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FCA
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630025
.text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006300BD
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0078001E
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780F97
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FC3
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780054
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780043
.text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780FB2
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660FB0
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660FC1
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0066001D
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660FD2
.text C:\WINDOWS\system32\svchost.exe[1644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660FE3
.text C:\WINDOWS\system32\svchost.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0025
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0047
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F5C
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0036
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F10
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F21
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0EDA
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0073
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0EC9
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F83
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0058
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0EF5
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A5005E
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A5002F
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00042
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FB7
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0001D
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FD2
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FE3
.text C:\WINDOWS\system32\svchost.exe[1768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910011
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090008C
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F97
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900071
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900FA8
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900039
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000DD
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009000C2
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000FF
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000EE
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F55
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0090004A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009000B1
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F70
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0042
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0031
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FE5
.text C:\WINDOWS\Explorer.EXE[2492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[2492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090025
.text C:\WINDOWS\Explorer.EXE[2492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B007F
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F94
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B006E
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F4F
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00A1
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F23
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00BC
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00E1
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0051
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0090
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[2492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F3E
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A007D
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0025
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FC0
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0022
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0033
.text C:\WINDOWS\Explorer.EXE[2492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[2492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\Explorer.EXE[2492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[2492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0011
.text C:\WINDOWS\Explorer.EXE[2492] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002D0022
.text C:\WINDOWS\Explorer.EXE[2492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01120FE5
.text C:\Program Files\Messenger\msmsgs.exe[3472] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00080FE5
.text C:\Program Files\Messenger\msmsgs.exe[3472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00080FB9
.text C:\Program Files\Messenger\msmsgs.exe[3472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00080FD4
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0078
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F83
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F9E
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F30
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F41
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0EDF
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F04
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B009D
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0051
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F68
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0036
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDB
.text C:\Program Files\Messenger\msmsgs.exe[3472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F15
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0073
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0062
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A002C
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0047
.text C:\Program Files\Messenger\msmsgs.exe[3472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B002C
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B006C
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B001B
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0047
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FA5
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\Program Files\Messenger\msmsgs.exe[3472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB6
.text C:\Program Files\Messenger\msmsgs.exe[3472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3472] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3472] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3472] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3472] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002D0000
.text C:\WINDOWS\System32\svchost.exe[3528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[3528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FC3
.text C:\WINDOWS\System32\svchost.exe[3528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FD4
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F66
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B005B
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F41
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B008E
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0EF5
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00A9
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B006C
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0014
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\System32\svchost.exe[3528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B007D
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0076
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A002C
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0011
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0051
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FB9
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[3528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0F90
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FA1
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0FE3
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F001B
.text C:\WINDOWS\System32\svchost.exe[3528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FC6
.text C:\WINDOWS\System32\svchost.exe[3528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\wuauclt.exe[3696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090025
.text C:\WINDOWS\system32\wuauclt.exe[3696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C006C
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F81
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C005B
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C004A
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F41
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F52
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F1C
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00B5
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F0B
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FDB
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C007D
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0025
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00A4
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F9A
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FAB
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FC6
.text C:\WINDOWS\system32\wuauclt.exe[3696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0047
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0036
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[3696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0F9E

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[792] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[792] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat AE138D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 08 November 2011 - 04:42 PM

I don't see much there.
Some more advanced tools will be needed.

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users