Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect, graphics interference, odd behavior


  • This topic is locked This topic is locked
19 replies to this topic

#1 tb12

tb12

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 09 November 2011 - 03:19 PM

Hi everyone; I have used this service before and it has been invaluable. I am running Windows XP professional, service pack 3. Over the last several weeks I have experienced increasingly frequent redirects on Google. My system has slowed considerably and there seems to be some graphics interference as web pages do not load properly and scrolling causes some sort of graphics reload. I have discovered my system on in the morning which may be attributed to maintnance staff using the system overnight even though it is password protected. I am also having repeated notices for network password to be re-entered especially when the Outlook is updating messages; finally, the program updater is constantly funning even when the settings have been changed. I am concerned about security due to all of these factors and would like what appears to be some type of infection cleaned out.
Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 09 November 2011 - 03:36 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 09 November 2011 - 05:03 PM

Broni, thanks for the prompt response. I will follow your direction. Unfortunately I cannot attend to all the scans yet today as I have to pick up my son form the airport so likely I will post the logs tomorrow.

#4 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 09 November 2011 - 05:04 PM

received McAfee site advisor warning about security check from your link.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 09 November 2011 - 05:05 PM

Disregard it. All downloads are perfectly safe.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 09 November 2011 - 05:22 PM

I proceeded through the warning to the site "sacore"? The page would not load then my system froze completely. After repeated end process in task manage thenentire IE closed.

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 09 November 2011 - 05:38 PM

I uploaded Security Check file for you here: http://www.filedropper.com/securitycheck

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 10 November 2011 - 11:29 AM

I downloaded from your link but the file would not unzip with the message: format unknown or damaged.

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 10 November 2011 - 01:40 PM

It's a straight file not zipped.
Just double click on it to run it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 10 November 2011 - 03:05 PM

I am also have some issues with BC in that my posts do not always appear the first time. Re the previous reply, I was able to download from you link however, when I clicked on the program it started then stated the archive was an unknown format or damaged. I sent that download to recycle then tried again to download from the original link without success. Finally, I tried a download fromthe original link with Firefox and that worked. The file size was different and it ran and produced a log. I am scanning with Tools and then MBAM and GMER. I will post logs here.

#11 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 10 November 2011 - 03:52 PM

Ran security check, tools and mbam. gmer runningnow however, it will be awhile as there are tons of files. I wlso use a 1 terabyte external hard drive which I am not scanning.

#12 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 10 November 2011 - 03:55 PM

are the logs to be pasted into reply post or the files uploaded?

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 10 November 2011 - 03:59 PM

Pasted.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 10 November 2011 - 08:08 PM

Security check:
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

McAfee SecurityCenter
McAfee Virtual Technician
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java Media Framework 2.1.1e
Java™ 6 Update 15
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 11.0.1.152
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Tools:
MiniToolBox by Farbar
Ran by Thomas Bueschel (administrator) on 10-11-2011 at 14:07:49
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : TAB-OFFICE

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-21-9B-23-33-BA

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.0.0.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.1

Lease Obtained. . . . . . . . . . : Thursday, November 10, 2011 11:26:08 AM

Lease Expires . . . . . . . . . . : Friday, November 11, 2011 11:26:08 AM

Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 74.125.225.50, 74.125.225.52, 74.125.225.51, 74.125.225.49
74.125.225.48



Pinging google.com [74.125.225.82] with 32 bytes of data:



Reply from 74.125.225.82: bytes=32 time=9ms TTL=54

Reply from 74.125.225.82: bytes=32 time=9ms TTL=54



Ping statistics for 74.125.225.82:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 9ms, Maximum = 9ms, Average = 9ms

Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 72.30.2.43, 98.137.149.56
98.139.180.149



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=68ms TTL=54

Reply from 209.191.122.70: bytes=32 time=58ms TTL=54



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 68ms, Average = 63ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 9b 23 33 ba ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 20
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 20
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.4 10.0.0.4 20
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 20
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/10/2011 11:12:05 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (11/10/2011 11:12:05 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (11/10/2011 11:12:05 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (11/10/2011 11:12:05 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (11/10/2011 10:42:49 AM) (Source: Application Hang) (User: )
Description: Fault bucket 1180947459.

Error: (11/10/2011 10:42:34 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/09/2011 04:38:26 PM) (Source: Application Error) (User: )
Description: Faulting application McSvHost.exe, version 2.0.230.0, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000551a9.
Error in creating result PEAP-TLV in response to received PEAP-TLV (McSvHost.exe!ld!)

Error: (11/09/2011 04:36:12 PM) (Source: Application Error) (User: )
Description: Faulting application McSvHost.exe, version 2.0.230.0, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000551a9.
Processing media-specific event for [McSvHost.exe!ws!]

Error: (11/09/2011 04:21:13 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/04/2011 08:46:27 AM) (Source: Application Hang) (User: )
Description: Fault bucket -1688374465.


System errors:
=============
Error: (11/10/2011 00:28:13 PM) (Source: 0) (User: )
Description: \Device\Ide\iaStor0

Error: (11/10/2011 11:29:14 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register with DCOM within the required timeout.

Error: (11/10/2011 11:26:20 AM) (Source: LDMS) (User: )
Description: Failed to initialize DmServer service. The service is not running. Error: C000003A

Error: (11/10/2011 11:26:20 AM) (Source: LDMS) (User: )
Description: Failed to open event VxKernel2VoldEvent, Error=C000003A.

Error: (11/10/2011 10:03:19 AM) (Source: LDMS) (User: )
Description: Failed to initialize DmServer service. The service is not running. Error: C000003A

Error: (11/10/2011 10:03:19 AM) (Source: LDMS) (User: )
Description: Failed to open event VxKernel2VoldEvent, Error=C000003A.

Error: (11/09/2011 04:49:04 PM) (Source: DCOM) (User: Thomas Bueschel)
Description: The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.

Error: (11/09/2011 04:35:37 PM) (Source: LDMS) (User: )
Description: Failed to initialize DmServer service. The service is not running. Error: C000003A

Error: (11/09/2011 04:35:37 PM) (Source: LDMS) (User: )
Description: Failed to open event VxKernel2VoldEvent, Error=C000003A.

Error: (11/09/2011 02:35:28 PM) (Source: 0) (User: )
Description: \Device\Ide\iaStor0


Microsoft Office Sessions:
=========================
Error: (11/10/2010 10:12:22 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 266 seconds with 240 seconds of active time. This session ended with a crash.

Error: (08/24/2010 02:01:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 771 seconds with 240 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

ABBYY FineReader 6.0 Sprint (Version: 6.00.1395.4512)
Adobe Acrobat X Pro - English, Franšais, Deutsch (Version: 10.1.1)
Adobe Flash Player 11 ActiveX (Version: 11.0.1.152)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Akamai NetSession Interface Service
AMD APP SDK Runtime (Version: 2.5.775.2)
AMD Catalyst Install Manager (Version: 3.0.847.0)
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (Version: 2.1.3.127)
AT&T Unified Messaging
AT&T Yahoo! Applications
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2011.0908.1321.22053)
Catalyst Control Center (Version: 2011.1012.1558.26748)
Catalyst Control Center Graphics Previews Common (Version: 2011.0908.1321.22053)
Catalyst Control Center Graphics Previews Common (Version: 2011.1012.1558.26748)
Catalyst Control Center InstallProxy (Version: 2011.1012.1558.26748)
ccc-utility (Version: 2011.0908.1321.22053)
ccc-utility (Version: 2011.1012.1558.26748)
CCC Help English (Version: 2011.0908.1320.22053)
CCC Help English (Version: 2011.1012.1557.26748)
CDDRV_Installer (Version: 4.60)
Choice Guard (Version: 1.2.87.0)
Dell Support Center (Version: 2.1.08060)
Diagnostics Utility (Version: 1.00.0000)
Disk Doctors Photo Recovery (Win) (Version: 2.0.0.26)
Epson Copy Utility 3.5 (Version: 3.5.0.0)
Epson Event Manager (Version: 2.30.01)
EPSON GT-1500 User's Guide
EPSON Scan
EPSON Scan PDF EXtensions (Version: 1.00.0000)
Google Chrome (Version: 15.0.874.106)
Google Earth (Version: 6.0.3.2197)
Google Update Helper (Version: 1.3.21.79)
Intel« Matrix Storage Manager
ISIS Driver - EPSON GT-1500 v1.0 (Version: 1.0)
iTunes (Version: 10.5.0.142)
Java Media Framework 2.1.1e
Java™ 6 Update 15 (Version: 6.0.150)
Java™ 6 Update 7 (Version: 1.6.0.70)
Junk Mail filter update (Version: 14.0.8050.1202)
KhalInstallWrapper (Version: 2.00.0000)
Logitech SetPoint (Version: 4.80)
Magic Berry
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee SecurityCenter (Version: 11.0.623)
McAfee Virtual Technician (Version: 5.5.1.0)
MFCLOC (Version: 1.00.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Basic 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Outlook Personal Folders Backup (Version: 1.10.0.0)
Microsoft Search Enhancement Pack (Version: 1.3.59.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
MSG Viewer 2.03
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB927977) (Version: 6.00.3890.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PaperPort Image Printer (Version: 1.00.0000)
PowerDVD DX (Version: 8.2.5711)
PST Walker Evaluation 5.01
Quicken 2009 (Version: 18.1.1.29)
QuickTime (Version: 7.71.80.42)
Realtek High Definition Audio Driver (Version: 5.10.0.5678)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Drag-to-Disc (Version: 9.1)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
ScanSoft PaperPort 11 (Version: 11.1.0000)
Segoe UI (Version: 14.0.4327.805)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
SUPERAntiSpyware Free Edition (Version: 4.37.0.1000)
SureThing CD Labeler Deluxe 3.0
ViewSonic Monitor Drivers
WD Anywhere Backup
WD Anywhere Backup Premium
WD Anywhere Backup Premium Extension (Version: 4.0.0)
WD Diagnostics (Version: 1.09.0002)
WD Drive Manager (x86) (Version: 2.62)
WebFldrs XP (Version: 9.50.7523)
WIDCOMM Bluetooth Software (Version: 5.1.0.2700)
Windows 7 Upgrade Advisor (Version: 2.0.5000.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8050.1202)
Windows Live Communications Platform (Version: 14.0.8050.1202)
Windows Live Essentials (Version: 14.0.8050.1202)
Windows Live Mail (Version: 14.0.8050.1202)
Windows Live Messenger (Version: 14.0.8050.1202)
Windows Live Photo Gallery (Version: 14.0.8051.1204)
Windows Live Sync (Version: 14.0.8050.1202)
Windows Live Toolbar (Version: 14.0.8052.1208)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8050.1202)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Search 4.0 (Version: 04.00.6001.503)
WorkForce GT-1500 Scanner Driver Update
XML Paper Specification Shared Components Pack 1.0
Yahoo! Software Update

========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 3070.91 MB
Available physical RAM: 2384.84 MB
Total Pagefile: 4955.46 MB
Available Pagefile: 3970.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.65 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:298.03 GB) (Free:254.05 GB) NTFS
3 Drive e: (My Book) (Fixed) (Total:931.28 GB) (Free:906.6 GB) FAT32

========================= Users: ========================================

User accounts for \\TAB-OFFICE

Administrator Guest HelpAssistant
SUPPORT_388945a0 Thomas Bueschel


**** End of log ****
MBAM:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8134

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/10/2011 2:15:53 PM
mbam-log-2011-11-10 (14-15-53).txt

Scan type: Quick scan
Objects scanned: 183097
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
GMER:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-10 18:34:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.1AC0
Running: GMER.exe; Driver: C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\uxtiiaow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DC64C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DC64D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DC6500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DC6556]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DC64AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DC6484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DC6498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DC64EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DC652C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DC6516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DC6580]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DC656C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DC6540]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DC6544 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DC655A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DC6570 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DC6530 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DC6488 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DC649C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DC6584 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DC651A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DC64EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DC64C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DC64D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DC6504 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DC64B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9449000, 0x2B330C, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0011
.text C:\WINDOWS\system32\svchost.exe[316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0FDB
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F44
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F55
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F72
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0056
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F0E
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0071
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0ED8
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0082
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D002F
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F1F
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0EF3
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50076
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50051
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00033
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00022
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00FCD
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FB2
.text C:\WINDOWS\system32\svchost.exe[316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F57
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900042
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900031
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F68
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FA8
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F35
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F46
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900EFF
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F10
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900EEE
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F8D
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900067
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0090008E
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F81
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FA6
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\svchost.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[696] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 0092002F
.text C:\WINDOWS\system32\svchost.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01600000
.text C:\WINDOWS\System32\svchost.exe[768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01600036
.text C:\WINDOWS\System32\svchost.exe[768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01600025
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015F0000
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015F0098
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015F0FA3
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015F0FBE
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015F0087
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015F006C
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015F00BF
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015F0F77
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015F0F26
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015F0F37
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015F00DA
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015F0FE5
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015F001B
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015F0F88
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015F0047
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015F0036
.text C:\WINDOWS\System32\svchost.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015F0F52
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01640FB9
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01640F9E
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01640FD4
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0164000A
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0164005B
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01640FEF
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01640040
.text C:\WINDOWS\System32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0164002F
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0163005F
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 0163004E
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01630033
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01630000
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01630FDE
.text C:\WINDOWS\System32\svchost.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01630FEF
.text C:\WINDOWS\System32\svchost.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01620FEF
.text C:\WINDOWS\System32\svchost.exe[768] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01610000
.text C:\WINDOWS\System32\svchost.exe[768] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01610FE5
.text C:\WINDOWS\System32\svchost.exe[768] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01610FD4
.text C:\WINDOWS\System32\svchost.exe[768] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01610025
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01120FDB
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01120011
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F83
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F4B
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0093
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00C9
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F30
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00DA
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00AE
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01150FC3
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0115005B
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01150FD4
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01150014
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0115004A
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01150FEF
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01150039
.text C:\WINDOWS\system32\services.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01150FA8
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0114003D
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 01140FB2
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01140FDE
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0114000C
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01140FC3
.text C:\WINDOWS\system32\services.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\services.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\lsass.exe[1224] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[1224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\lsass.exe[1224] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F86
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F97
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0065
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00BD
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F75
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F53
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00E2
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0107
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00A0
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\lsass.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F64
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90098
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90087
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F9006C
.text C:\WINDOWS\system32\lsass.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F9005B
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F8003D
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80FB2
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80FD7
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80022
.text C:\WINDOWS\system32\lsass.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F5C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F6D
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F94
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FA5
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70082
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F70F3A
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70F0E
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F1F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70EFD
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F4B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F7009D
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB002F
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB004A
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0F97
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0FA8
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FC3
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0F92
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FAD
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FE3
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FBE
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA001D
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C500A4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50093
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50076
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500E1
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C500C6
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C500F2
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F59
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C5010D
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C500B5
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[1596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F7E
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90014
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\svchost.exe[1596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80F9A
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FC6
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FB5
.text C:\WINDOWS\system32\svchost.exe[1596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FD7
.text C:\WINDOWS\system32\svchost.exe[1596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\System32\svchost.exe[1720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02570FEF
.text C:\WINDOWS\System32\svchost.exe[1720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0257001E
.text C:\WINDOWS\System32\svchost.exe[1720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02570FDE
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560FEF
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0256007D
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560F88
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560062
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560FAF
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02560040
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025600AE
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F5C
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02560F37
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025600D0
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600EB
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560051
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0256000A
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F6D
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0256002F
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560FDE
.text C:\WINDOWS\System32\svchost.exe[1720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025600BF
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02E60FCA
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02E60F79
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02E6001B
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02E60FEF
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02E60F8A
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02E6000A
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02E60036
.text C:\WINDOWS\System32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02E60FAF
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02E50042
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!system 77C293C7 5 Bytes JMP 02E50FB7
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02E50FE3
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02E50000
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02E50FC8
.text C:\WINDOWS\System32\svchost.exe[1720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02E50011
.text C:\WINDOWS\System32\svchost.exe[1720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E40FEF
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 02E30FEF
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 02E3000A
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 02E3001B
.text C:\WINDOWS\System32\svchost.exe[1720] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 02E30FCA
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006300AE
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0063009D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630FC3
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630080
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300DC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00630F94
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630123
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00630108
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630F79
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0063006F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630025
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006300BF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630036
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006300F7
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F8D
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FA8
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0065003D
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FBC
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FE3
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00910F5E
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0091005D
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00910F83
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00910F9E
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0091002F
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00910089
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00910078
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00910F1C
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009100B5
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00910F0B
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00910040
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00910014
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00910F4D
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00910FC3
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00910FDE
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009100A4
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FB9
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0095005B
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0095004A
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0095002F
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950F9E
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940FCA
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940055
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0094003A
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0094000C
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940FDB
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0094001D
.text C:\WINDOWS\system32\svchost.exe[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0189000A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01890025
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01890FEF
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01880000
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01880F61
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01880F72
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0188004C
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01880F8D
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01880025
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01880F18
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01880F29
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01880085
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01880EEC
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01880ED1
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01880F9E
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01880FE5
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01880F46
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01880FB9
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01880FD4
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01880EFD
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01870FCA
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01870F83
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0187001B
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0187000A
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01870040
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01870FEF
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01870F94
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A7, 89]
.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01870FAF
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018B0033
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 018B0022
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018B0FCD
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018B0FEF
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018B0FBC
.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018B0FDE
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 018A0FEF
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 018A0FDE
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 018A0014
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 018A0FC3
.text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01910FEF
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[2112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[2112] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[2112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F76
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90075
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F91
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9004E
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B9003D
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F65
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B900A1
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900C8
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F39
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900D9
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90FB6
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90090
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FD1
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[2112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F4A
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FB2
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80F8D
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8002F
.text C:\WINDOWS\system32\svchost.exe[2112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B8001E
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FA6
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0031
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FD2
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FB7
.text C:\WINDOWS\system32\svchost.exe[2112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB000C
.text C:\WINDOWS\system32\SearchIndexer.exe[2456] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[1044] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[1044] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

think that's it.

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:50 PM

Posted 10 November 2011 - 08:35 PM

Which browser is getting redirected?

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users