Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows xp 2012 virus


  • This topic is locked This topic is locked
69 replies to this topic

#1 BreeLovesPc

BreeLovesPc

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 10 December 2011 - 02:56 PM

:( my computer has yet again been infected with another virus called the windows xp 2012 virus. The virus is very much like the ones I have encountered throughout this past year. It pops and and begins to scan my computer claiming that I have all type of threats on my computer and it will not let me access the internet. I had to put my computer in safe mode with networking in order to access foxfire browser.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:50 PM

Posted 11 December 2011 - 07:25 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 12 December 2011 - 11:45 PM

Ok I have tried to run dds, but everytime I do it never ever has the text reports pop up after the scan. So I guess I could skip that part....but when I run gmer it takes forever. How long does it usually run because it seems like I run it all night on my computer and it still doesn't get finished with the scan.

Edited by BreeLovesPc, 12 December 2011 - 11:46 PM.


#4 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 16 December 2011 - 09:16 AM

Okay...finally got gmer to finish. The following is the log. Unfortunately I was not able to get the dds. txt log.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-16 06:41:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160815AS rev.3.AAC
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF72D8D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF72D8D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF72D8DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF72D8E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF72D8D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF72D8D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF72D8D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF72D8D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF72D8DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF72D8DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF72D8E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF72D8E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF72D8DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text serial.sys F75AF000 291 Bytes [D6, 68, AE, F0, 5A, F7, 8D, ...]
.text serial.sys F75AF124 81 Bytes [FF, 81, 7D, 0C, 80, 15, 5B, ...]
.text serial.sys F75AF176 211 Bytes [85, 39, 04, 00, 00, 8B, 46, ...]
.text serial.sys F75AF24B 8 Bytes [39, 5D, 0C, 0F, 84, 28, FC, ...]
.text serial.sys F75AF254 31 Bytes [81, 7D, 0C, 80, 15, 5B, F7, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\serial.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[324] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FCD
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F30
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F41
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F68
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F83
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20EE7
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20EF8
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20EB8
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20EA7
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F15
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C2004A
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70033
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F98
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70055
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FB3
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70044
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60053
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60042
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C6000C
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60027
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0157000A
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01570FCA
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01570FE5
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01560000
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01560091
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01560FA6
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01560FB7
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01560FD4
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0156005B
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01560F64
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01560F81
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01560F13
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01560F38
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01560EF8
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01560076
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0156001B
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015600A2
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0156004A
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01560FEF
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01560F49
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01670FAF
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0167004A
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01670FD4
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01670F8D
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01670FEF
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01670F9E
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [87, 89]
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01670025
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01660049
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!system 77C293C7 5 Bytes JMP 01660FBE
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01660FE3
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0166000C
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01660038
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0166001D
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01580000
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01580FE5
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 0158001B
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01580FCA
.text C:\WINDOWS\Explorer.EXE[516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01590FE5
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FC0
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040089
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040067
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400BF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400AE
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400DA
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F41
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400FF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F83
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F52
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0039
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0F72
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F8D
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB7
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070016
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01110025
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01100078
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01100067
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01100F8D
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01100FA8
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01100FCA
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011000A4
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01100F5C
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011000DA
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011000C9
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011000EB
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01100FB9
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0110001B
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01100089
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01100FE5
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01100036
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01100F41
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01150FD4
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01150F79
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01150FE5
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0115001B
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01150036
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01150F9E
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [35, 89]
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01150FAF
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0114002F
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 01140F9A
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01140FC6
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01140FE3
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01140FB5
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01140000
.text C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 0112001B
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01120036
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01120051
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02420000
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02420FD4
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02420FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0241000A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02410F4B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02410F66
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02410040
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02410F83
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02410FB9
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0241006C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0241005B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024100A2
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02410087
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024100B3
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02410F94
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0241001B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02410F3A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02410EFF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02450040
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0245007D
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02450025
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02450014
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0245006C
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02450FEF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02450FCA
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [65, 8A]
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02450051
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02440FB2
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 0244003D
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02440022
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02440FEF
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02440FCD
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02440FDE
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02430FE5
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F8A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F9B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD007F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00BE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00EA
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F5B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00FB
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FD1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0090
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0022
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD00CF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01030FD1
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030F9B
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01030022
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030058
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030FB6
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01030033
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020062
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FCD
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020018
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102003D
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020FDE
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0078
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F30
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F57
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00B8
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F1F
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00D3
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F68
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0093
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0084
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0022
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0073
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FD1
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 039D0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 039D0FD4
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 039D000A
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F4000C
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 039C0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 039C0078
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 039C0067
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 039C0056
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 039C0039
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 039C0F97
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 039C00C1
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 039C009A
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039C00E6
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039C0F43
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 039C0101
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 039C0028
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 039C0FD4
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 039C0089
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 039C0FA8
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 039C0FB9
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 039C0F5E
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03FB0FC0
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03FB0F79
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03FB001B
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03FB000A
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03FB0036
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03FB0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03FB0F94
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 8C]
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03FB0FA5
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03FA004E
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 03FA003D
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03FA0FCD
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03FA0000
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03FA0022
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03FA0011
.text C:\WINDOWS\System32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 039F0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 039E0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 039E0FDE
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 039E0FCD
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 039E0FBC
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630F94
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630FA5
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630073
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630062
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630051
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300D0
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006300B5
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630F41
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00630F52
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630F26
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630FC0
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006300A4
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0063002C
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F6D
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FA8
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066004A
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FC3
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066002F
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066001E
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660F97
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FA4
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FB5
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FE3
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F28
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70F4D
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70F5E
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70F79
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A7007A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70053
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A70EFC
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A7008B
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A700B0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70F94
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70038
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70011
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70F17
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F79
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0F9C
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FAD
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FD2
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0027
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB000C
.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00A90025
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00ED0011
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F66
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F41
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00BF
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00A4
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00DA
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0F26
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10051
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10F9E
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FAF
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00033
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F0004E
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00018
.text C:\WINDOWS\system32\svchost.exe[1768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00EE0FD4
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00EE0FC3

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A9013D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F604C000-F6062000 (90112 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\YCI8RDXG.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\LP11YJUH.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\LW11KRF5.txt 1115 bytes
File C:\Documents and Settings\NetworkService\Cookies\FU7UJ0GO.txt 1918 bytes
File C:\Documents and Settings\NetworkService\Cookies\X5STCA1J.txt 2675 bytes
File C:\Documents and Settings\NetworkService\Cookies\X7BK1JT6.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\6T1XGIUU.txt 12080 bytes
File C:\Documents and Settings\NetworkService\Cookies\SI234VHI.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\O99LHHOT.txt 3205 bytes
File C:\Documents and Settings\NetworkService\Cookies\J7JT0E8B.txt 3050 bytes
File C:\Documents and Settings\NetworkService\Cookies\TFOE6B9A.txt 2262 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\if[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\imgad[1].gif 22307 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\impressioncount[2].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\impressioncount[3].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\15197-15197-pomegranate-glazed-turkey-health-thanksgiving-spry-relish__crop-square-76x76[1].jpg 2584 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\ajs[1].php 3741 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\ads[2].js 11943 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\6119293[1].htm 7870 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\24903_c_clickpayz_com[1].txt 155 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\content_grabnetworks_com[1].xml 14840 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\SenseHandler[1].ashx 45478 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L41YZ7ZY\fleche2[2].png 791 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L41YZ7ZY\24903_c_clickpayz_com[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\AdServerServlet[2].htm 1528 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\na[1].png 179 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\5B7U74Dg04k[1].jpg 15633 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\fb_icon[1].png 2471 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\GetAd[1].aspx 3647 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\boxMiddle[1].gif 54 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\ros[1].htm 1077 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\sb_suite_1_AS2[1].swf 35358 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\eventCA3T2691.flow 106 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\287351306_1_400_250[1].jpg 10981 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\17080;167535;201;js;Cadreon;Cadreon728x90BasedTargetingDEJ9111123111[1] 502 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\afe_specificclick_net[1].txt 975 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\sky-bottom[1].gif 890 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\1261937896@Top1[1] 115 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\Spark_WANT_300x250[1].swf 19557 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\crossdomain[9].xml 100 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\ExternalAdNetworkViewlogLogServlet[2].txt 5 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\f38ABbegyxQ[1].jpg 4473 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\9_uso2_com[1].txt 14159 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\1701292[1].xml 835 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\imp[3] 890 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\st[6] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\beacon[7].txt 69 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdServerServlet[4].htm 1330 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdServerServlet[5].htm 1573 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\GetAd[1].aspx 2019 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\GetAd[2].aspx 2017 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ptj[1] 162 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\fp[3] 20571 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\CreativeConfig_13[1].xml 18550 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\__utm[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\r[1].js 168 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdDisplayTrackerServletCA0MMI1Z.htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\log[4].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\1239926186@Bottom[1] 1868 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\p-00elAU1X2aPCI[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\in[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[3].php 3121 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[4].php 3743 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[5].php 3521 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\300x250_mock28_triad_greyBG[1].png 766 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\TSRq[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\TSRs[2].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ajs[7].php 4143 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ajs[8].php 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\eventCAAKOXGG.flow 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\pixel[4] 3595 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\pixel[5] 3595 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\iframe!t=1209![7].txt 305 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ros[4] 1861 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\B6062744;sz=300x250;ord=4366947307205066718[1] 733 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ads[2].js 9952 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\PublisherEventServlet[3].txt 5 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\GetAd[1].aspx 2017 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\3426[1].gif 62 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\bckfg.tmp 852 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\keywords 16 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\L 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\L\dmdczkoi 64512 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000032.@ 98304 bytes
File C:\WINDOWS\$NtUninstallKB24289$\3502784138 0 bytes

---- EOF - GMER 1.0.15 ----

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 16 December 2011 - 03:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431718 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 18 December 2011 - 02:53 PM

Yes, I do still need help unfortunately. My problem is still persists. I think I am infected with something called the windows xp 2012 virus. My reason for thinking this is because on 12/10/11 I was web surfing and all of the sudden my mozilla foxfire browser shut down on me. A short while after a program by the name of windows xp 2012 security popped up and began to scan my computer. This virus also would not let me access the internet claiming that it was unsafe. I immediately shut down my computer before the scan had time to finish because I had dealt with several viruses this year and recognized this to be one of them. I rebooted in safe mode with networking. From there I visited this site to get download and run rkill. After running rkill, I updated malwarebytes, ran a quick scan on my computer and deleted about 13 founded malwares after the scan was completed. After this I was able to reboot my computer normally and access my web browsers and I haven't seen the program pop up anymore but I can still tell that something is wrong with my computer because it's very laggy and slow. It was laggy and slow before 12/10/11 about a week before letting me know something was wrong but I figured maybe I need to clean up some space on my hard drive. But as I was saying my computer is very laggy and slow and it also does alot of redirecting to other sites. I do want to take this time to say that even though this is the latest I've ever not received a response from a member of bleeping computer staff that I do understand that you all get overwhelmed alot due the computer viruses being a common thing and the help I've received here in the past has made the waiting worthwhile. I appreciate the time, patience, and help you all so generously give. Thanks again. Also I was not able to obtain the dds.txt but I do have the gmer log. Here it is again........

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-16 06:41:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3160815AS rev.3.AAC
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF72D8D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF72D8D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF72D8DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF72D8E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF72D8D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF72D8D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF72D8D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF72D8D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF72D8DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF72D8DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF72D8E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF72D8E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF72D8DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text serial.sys F75AF000 291 Bytes [D6, 68, AE, F0, 5A, F7, 8D, ...]
.text serial.sys F75AF124 81 Bytes [FF, 81, 7D, 0C, 80, 15, 5B, ...]
.text serial.sys F75AF176 211 Bytes [85, 39, 04, 00, 00, 8B, 46, ...]
.text serial.sys F75AF24B 8 Bytes [39, 5D, 0C, 0F, 84, 28, FC, ...]
.text serial.sys F75AF254 31 Bytes [81, 7D, 0C, 80, 15, 5B, F7, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\serial.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[324] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FCD
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F30
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F41
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F68
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F83
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20EE7
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20EF8
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20EB8
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20EA7
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F15
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C2004A
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70033
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F98
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70055
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FB3
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70044
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60053
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60042
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C6000C
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60027
.text C:\WINDOWS\system32\svchost.exe[488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[488] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0157000A
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01570FCA
.text C:\WINDOWS\Explorer.EXE[516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01570FE5
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01560000
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01560091
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01560FA6
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01560FB7
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01560FD4
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0156005B
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01560F64
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01560F81
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01560F13
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01560F38
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01560EF8
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01560076
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0156001B
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015600A2
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0156004A
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01560FEF
.text C:\WINDOWS\Explorer.EXE[516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01560F49
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01670FAF
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0167004A
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01670FD4
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01670F8D
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01670FEF
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01670F9E
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [87, 89]
.text C:\WINDOWS\Explorer.EXE[516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01670025
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01660049
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!system 77C293C7 5 Bytes JMP 01660FBE
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01660FE3
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0166000C
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01660038
.text C:\WINDOWS\Explorer.EXE[516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0166001D
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01580000
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01580FE5
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 0158001B
.text C:\WINDOWS\Explorer.EXE[516] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01580FCA
.text C:\WINDOWS\Explorer.EXE[516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01590FE5
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FC0
.text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040089
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040078
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040067
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400BF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400AE
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400DA
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F41
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000400FF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F83
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F52
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0039
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0F72
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0F8D
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\services.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB7
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070016
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\services.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01110025
.text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01100000
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01100078
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01100067
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01100F8D
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01100FA8
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01100FCA
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011000A4
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01100F5C
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011000DA
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011000C9
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011000EB
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01100FB9
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0110001B
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01100089
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01100FE5
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01100036
.text C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01100F41
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01150FD4
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01150F79
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01150FE5
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0115001B
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01150036
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01150F9E
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [35, 89]
.text C:\WINDOWS\system32\lsass.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01150FAF
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0114002F
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 01140F9A
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01140FC6
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01140FE3
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01140FB5
.text C:\WINDOWS\system32\lsass.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01140000
.text C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 0112001B
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01120036
.text C:\WINDOWS\system32\lsass.exe[1084] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01120051
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02420000
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02420FD4
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02420FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0241000A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02410F4B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02410F66
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02410040
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02410F83
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02410FB9
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0241006C
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0241005B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024100A2
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02410087
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024100B3
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02410F94
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0241001B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02410F3A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02410EFF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02450040
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0245007D
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02450025
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02450014
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0245006C
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02450FEF
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02450FCA
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [65, 8A]
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02450051
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02440FB2
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 0244003D
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02440022
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02440FEF
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02440FCD
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02440FDE
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02430FE5
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F8A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F9B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD007F
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00BE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00EA
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F5B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00FB
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FD1
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0090
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0022
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD00CF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01030FD1
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030F9B
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01030022
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030058
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030FB6
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01030033
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020062
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FCD
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020018
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102003D
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020FDE
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0078
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F30
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F57
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00B8
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F1F
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00D3
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F68
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0093
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0084
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0022
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0073
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FD1
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 039D0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 039D0FD4
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 039D000A
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F4000C
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 039C0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 039C0078
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 039C0067
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 039C0056
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 039C0039
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 039C0F97
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 039C00C1
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 039C009A
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039C00E6
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039C0F43
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 039C0101
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 039C0028
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 039C0FD4
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 039C0089
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 039C0FA8
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 039C0FB9
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 039C0F5E
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03FB0FC0
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03FB0F79
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03FB001B
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03FB000A
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03FB0036
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03FB0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03FB0F94
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 8C]
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03FB0FA5
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03FA004E
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 03FA003D
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03FA0FCD
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03FA0000
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03FA0022
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03FA0011
.text C:\WINDOWS\System32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 039F0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 039E0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 039E0FDE
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 039E0FCD
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 039E0FBC
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630F94
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630FA5
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630073
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630062
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630051
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300D0
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006300B5
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630F41
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00630F52
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630F26
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630FC0
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006300A4
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0063002C
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F6D
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FA8
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066004A
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FC3
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066002F
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066001E
.text C:\WINDOWS\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660F97
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FA4
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FB5
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FE3
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A8001B
.text C:\WINDOWS\system32\svchost.exe[1708] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F28
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70F4D
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70F5E
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70F79
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A7007A
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70053
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A70EFC
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A7008B
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A700B0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70F94
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70038
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70011
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70F17
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F79
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0F9C
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0FAD
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FD2
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB0027
.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB000C
.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00A90025
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00A90036
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00ED0011
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F66
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F41
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00BF
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00A4
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00DA
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0F26
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FCA
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10051
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10036
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10F9E
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FAF
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00033
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F0004E
.text C:\WINDOWS\system32\svchost.exe[1768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00018
.text C:\WINDOWS\system32\svchost.exe[1768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00EE0FD4
.text C:\WINDOWS\system32\svchost.exe[1768] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00EE0FC3

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A9013D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F604C000-F6062000 (90112 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\YCI8RDXG.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\LP11YJUH.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\LW11KRF5.txt 1115 bytes
File C:\Documents and Settings\NetworkService\Cookies\FU7UJ0GO.txt 1918 bytes
File C:\Documents and Settings\NetworkService\Cookies\X5STCA1J.txt 2675 bytes
File C:\Documents and Settings\NetworkService\Cookies\X7BK1JT6.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\6T1XGIUU.txt 12080 bytes
File C:\Documents and Settings\NetworkService\Cookies\SI234VHI.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\O99LHHOT.txt 3205 bytes
File C:\Documents and Settings\NetworkService\Cookies\J7JT0E8B.txt 3050 bytes
File C:\Documents and Settings\NetworkService\Cookies\TFOE6B9A.txt 2262 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\if[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\imgad[1].gif 22307 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\impressioncount[2].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A7TW9EIT\impressioncount[3].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\15197-15197-pomegranate-glazed-turkey-health-thanksgiving-spry-relish__crop-square-76x76[1].jpg 2584 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\ajs[1].php 3741 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\ads[2].js 11943 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\6119293[1].htm 7870 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\24903_c_clickpayz_com[1].txt 155 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\content_grabnetworks_com[1].xml 14840 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JO5UFKDH\SenseHandler[1].ashx 45478 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L41YZ7ZY\fleche2[2].png 791 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L41YZ7ZY\24903_c_clickpayz_com[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\AdServerServlet[2].htm 1528 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\na[1].png 179 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\5B7U74Dg04k[1].jpg 15633 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\fb_icon[1].png 2471 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\GetAd[1].aspx 3647 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\boxMiddle[1].gif 54 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\ros[1].htm 1077 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\sb_suite_1_AS2[1].swf 35358 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\eventCA3T2691.flow 106 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\287351306_1_400_250[1].jpg 10981 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\17080;167535;201;js;Cadreon;Cadreon728x90BasedTargetingDEJ9111123111[1] 502 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L4YF12AV\afe_specificclick_net[1].txt 975 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\sky-bottom[1].gif 890 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\1261937896@Top1[1] 115 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\Spark_WANT_300x250[1].swf 19557 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\crossdomain[9].xml 100 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\ExternalAdNetworkViewlogLogServlet[2].txt 5 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\f38ABbegyxQ[1].jpg 4473 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\9_uso2_com[1].txt 14159 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\1701292[1].xml 835 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QQQCKQEE\imp[3] 890 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\st[6] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\beacon[7].txt 69 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdServerServlet[4].htm 1330 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdServerServlet[5].htm 1573 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\GetAd[1].aspx 2019 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\GetAd[2].aspx 2017 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ptj[1] 162 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\fp[3] 20571 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\CreativeConfig_13[1].xml 18550 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\__utm[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\r[1].js 168 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\AdDisplayTrackerServletCA0MMI1Z.htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\log[4].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\1239926186@Bottom[1] 1868 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\p-00elAU1X2aPCI[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\in[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[3].php 3121 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[4].php 3743 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\ajs[5].php 3521 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\300x250_mock28_triad_greyBG[1].png 766 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\TSRq[1].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XSDN5PWN\TSRs[2].gif 35 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ajs[7].php 4143 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ajs[8].php 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\eventCAAKOXGG.flow 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\pixel[4] 3595 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\pixel[5] 3595 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\iframe!t=1209![7].txt 305 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ros[4] 1861 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\B6062744;sz=300x250;ord=4366947307205066718[1] 733 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\ads[2].js 9952 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\PublisherEventServlet[3].txt 5 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\GetAd[1].aspx 2017 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XZ9R8N85\3426[1].gif 62 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\bckfg.tmp 852 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\keywords 16 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\L 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\L\dmdczkoi 64512 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U 0 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB24289$\1595081202\U\80000032.@ 98304 bytes
File C:\WINDOWS\$NtUninstallKB24289$\3502784138 0 bytes

---- EOF - GMER 1.0.15 ----

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 PM

Posted 18 December 2011 - 09:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Now please run aswMBR, these two tools target rootkits

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#8 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 18 December 2011 - 10:12 PM

22:11:10.0875 3812 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
22:11:11.0453 3812 ============================================================
22:11:11.0453 3812 Current date / time: 2011/12/18 22:11:11.0453
22:11:11.0453 3812 SystemInfo:
22:11:11.0453 3812
22:11:11.0453 3812 OS Version: 5.1.2600 ServicePack: 3.0
22:11:11.0453 3812 Product type: Workstation
22:11:11.0453 3812 ComputerName: OWNER
22:11:11.0453 3812 UserName: Administrator
22:11:11.0453 3812 Windows directory: C:\WINDOWS
22:11:11.0453 3812 System windows directory: C:\WINDOWS
22:11:11.0453 3812 Processor architecture: Intel x86
22:11:11.0453 3812 Number of processors: 2
22:11:11.0453 3812 Page size: 0x1000
22:11:11.0453 3812 Boot type: Normal boot
22:11:11.0453 3812 ============================================================
22:11:12.0109 3812 Initialize success
22:11:16.0671 2892 ============================================================
22:11:16.0671 2892 Scan started
22:11:16.0671 2892 Mode: Manual;
22:11:16.0671 2892 ============================================================
22:11:17.0984 2892 Abiosdsk - ok
22:11:18.0062 2892 abp480n5 - ok
22:11:18.0109 2892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:11:18.0109 2892 ACPI - ok
22:11:18.0187 2892 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:11:18.0187 2892 ACPIEC - ok
22:11:18.0203 2892 adpu160m - ok
22:11:18.0250 2892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:11:18.0250 2892 aec - ok
22:11:18.0296 2892 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:11:18.0296 2892 AegisP - ok
22:11:18.0343 2892 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:11:18.0359 2892 AFD - ok
22:11:18.0359 2892 Aha154x - ok
22:11:18.0375 2892 aic78u2 - ok
22:11:18.0406 2892 aic78xx - ok
22:11:18.0437 2892 AliIde - ok
22:11:18.0453 2892 amsint - ok
22:11:18.0500 2892 asc - ok
22:11:18.0515 2892 asc3350p - ok
22:11:18.0531 2892 asc3550 - ok
22:11:18.0609 2892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:11:18.0609 2892 AsyncMac - ok
22:11:18.0640 2892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:11:18.0656 2892 atapi - ok
22:11:18.0703 2892 Atdisk - ok
22:11:18.0750 2892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:11:18.0750 2892 Atmarpc - ok
22:11:18.0812 2892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:11:18.0812 2892 audstub - ok
22:11:18.0843 2892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:11:18.0843 2892 Beep - ok
22:11:18.0875 2892 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:11:18.0875 2892 cbidf2k - ok
22:11:18.0921 2892 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:11:18.0921 2892 CCDECODE - ok
22:11:18.0953 2892 cd20xrnt - ok
22:11:18.0984 2892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:11:18.0984 2892 Cdaudio - ok
22:11:19.0015 2892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:11:19.0015 2892 Cdfs - ok
22:11:19.0078 2892 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:11:19.0078 2892 Cdrom - ok
22:11:19.0140 2892 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
22:11:19.0140 2892 cercsr6 - ok
22:11:19.0187 2892 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
22:11:19.0187 2892 cfwids - ok
22:11:19.0234 2892 Changer - ok
22:11:19.0265 2892 CmdIde - ok
22:11:19.0312 2892 Cpqarray - ok
22:11:19.0359 2892 dac2w2k - ok
22:11:19.0375 2892 dac960nt - ok
22:11:19.0421 2892 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:11:19.0421 2892 Disk - ok
22:11:19.0468 2892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:11:19.0484 2892 dmboot - ok
22:11:19.0531 2892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:11:19.0546 2892 dmio - ok
22:11:19.0609 2892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:11:19.0609 2892 dmload - ok
22:11:19.0671 2892 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:11:19.0671 2892 DMusic - ok
22:11:19.0703 2892 dpti2o - ok
22:11:19.0750 2892 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:11:19.0750 2892 drmkaud - ok
22:11:19.0796 2892 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:11:19.0796 2892 E100B - ok
22:11:19.0875 2892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:11:19.0875 2892 Fastfat - ok
22:11:19.0906 2892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:11:19.0906 2892 Fdc - ok
22:11:19.0953 2892 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:11:19.0953 2892 FilterService - ok
22:11:19.0968 2892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:11:19.0968 2892 Fips - ok
22:11:19.0984 2892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:11:19.0984 2892 Flpydisk - ok
22:11:20.0015 2892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:11:20.0015 2892 FltMgr - ok
22:11:20.0046 2892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:11:20.0046 2892 Fs_Rec - ok
22:11:20.0062 2892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:11:20.0062 2892 Ftdisk - ok
22:11:20.0078 2892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:11:20.0078 2892 Gpc - ok
22:11:20.0109 2892 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:11:20.0125 2892 HDAudBus - ok
22:11:20.0171 2892 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:11:20.0171 2892 HidUsb - ok
22:11:20.0203 2892 hpn - ok
22:11:20.0265 2892 HSFHWBS2 (c27c1231a205086d35088e13817985b0) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
22:11:20.0265 2892 HSFHWBS2 - ok
22:11:20.0296 2892 HSF_DP (73d70d6b8516075fb4de65726f74a121) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
22:11:20.0312 2892 HSF_DP - ok
22:11:20.0359 2892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:11:20.0375 2892 HTTP - ok
22:11:20.0390 2892 i2omgmt - ok
22:11:20.0421 2892 i2omp - ok
22:11:20.0500 2892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:11:20.0515 2892 i8042prt - ok
22:11:20.0687 2892 ialm (1312e0141a7bd409afadd52fa565927e) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
22:11:20.0828 2892 ialm - ok
22:11:20.0953 2892 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\WINDOWS\system32\Drivers\Icam3.sys
22:11:20.0968 2892 ICAM3NT5 - ok
22:11:21.0000 2892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:11:21.0000 2892 Imapi - ok
22:11:21.0062 2892 ini910u - ok
22:11:21.0093 2892 IntelIde - ok
22:11:21.0109 2892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:11:21.0109 2892 intelppm - ok
22:11:21.0171 2892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:11:21.0171 2892 Ip6Fw - ok
22:11:21.0234 2892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:11:21.0234 2892 IpFilterDriver - ok
22:11:21.0265 2892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:11:21.0265 2892 IpInIp - ok
22:11:21.0296 2892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:11:21.0296 2892 IpNat - ok
22:11:21.0312 2892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:11:21.0312 2892 IPSec - ok
22:11:21.0343 2892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:11:21.0343 2892 IRENUM - ok
22:11:21.0390 2892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:11:21.0406 2892 isapnp - ok
22:11:21.0437 2892 JL2005C (d0cf54a5e47110e1d13728f75c54c620) C:\WINDOWS\system32\Drivers\jl2005c.sys
22:11:21.0437 2892 JL2005C - ok
22:11:21.0500 2892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:11:21.0500 2892 Kbdclass - ok
22:11:21.0546 2892 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:11:21.0546 2892 kbdhid - ok
22:11:21.0578 2892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:11:21.0593 2892 kmixer - ok
22:11:21.0656 2892 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:11:21.0656 2892 KSecDD - ok
22:11:21.0703 2892 lbrtfdc - ok
22:11:21.0781 2892 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
22:11:21.0781 2892 lvpopflt - ok
22:11:21.0812 2892 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
22:11:21.0812 2892 LVPr2Mon - ok
22:11:21.0843 2892 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
22:11:21.0859 2892 LVRS - ok
22:11:21.0890 2892 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
22:11:21.0890 2892 LVUSBSta - ok
22:11:22.0093 2892 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:11:22.0265 2892 LVUVC - ok
22:11:22.0296 2892 MBAMSwissArmy - ok
22:11:22.0390 2892 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:11:22.0390 2892 mdmxsdk - ok
22:11:22.0468 2892 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
22:11:22.0546 2892 mfeapfk - ok
22:11:22.0640 2892 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
22:11:22.0656 2892 mfeavfk - ok
22:11:22.0656 2892 mfeavfk01 - ok
22:11:22.0703 2892 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
22:11:22.0796 2892 mfebopk - ok
22:11:22.0937 2892 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
22:11:22.0937 2892 mfefirek - ok
22:11:23.0000 2892 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
22:11:23.0000 2892 mfehidk - ok
22:11:23.0046 2892 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:11:23.0046 2892 mfendisk - ok
22:11:23.0062 2892 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:11:23.0062 2892 mfendiskmp - ok
22:11:23.0109 2892 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
22:11:23.0109 2892 mferkdet - ok
22:11:23.0140 2892 mfetdi2k (25e12c68b49a64ffc873603dfd578236) C:\WINDOWS\system32\drivers\mfetdi2k.sys
22:11:23.0140 2892 mfetdi2k - ok
22:11:23.0187 2892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:11:23.0187 2892 mnmdd - ok
22:11:23.0296 2892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:11:23.0296 2892 Modem - ok
22:11:23.0312 2892 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
22:11:23.0312 2892 MODEMCSA - ok
22:11:23.0328 2892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:11:23.0328 2892 Mouclass - ok
22:11:23.0375 2892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:11:23.0375 2892 mouhid - ok
22:11:23.0406 2892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:11:23.0406 2892 MountMgr - ok
22:11:23.0421 2892 mraid35x - ok
22:11:23.0500 2892 MREMP50 - ok
22:11:23.0500 2892 MRESP50 - ok
22:11:23.0562 2892 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:11:23.0562 2892 MRxDAV - ok
22:11:23.0625 2892 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:11:23.0640 2892 MRxSmb - ok
22:11:23.0671 2892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:11:23.0671 2892 Msfs - ok
22:11:23.0718 2892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:11:23.0718 2892 MSKSSRV - ok
22:11:23.0718 2892 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:11:23.0734 2892 MSPCLOCK - ok
22:11:23.0750 2892 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:11:23.0750 2892 MSPQM - ok
22:11:23.0796 2892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:11:23.0812 2892 mssmbios - ok
22:11:23.0843 2892 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:11:23.0843 2892 MSTEE - ok
22:11:23.0906 2892 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:11:23.0906 2892 Mup - ok
22:11:23.0937 2892 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:11:23.0937 2892 NABTSFEC - ok
22:11:24.0015 2892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:11:24.0015 2892 NDIS - ok
22:11:24.0046 2892 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:11:24.0062 2892 NdisIP - ok
22:11:24.0109 2892 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:11:24.0171 2892 NdisTapi - ok
22:11:24.0203 2892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:11:24.0203 2892 Ndisuio - ok
22:11:24.0234 2892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:11:24.0234 2892 NdisWan - ok
22:11:24.0281 2892 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:11:24.0281 2892 NDProxy - ok
22:11:24.0296 2892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:11:24.0296 2892 NetBIOS - ok
22:11:24.0328 2892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:11:24.0328 2892 NetBT - ok
22:11:24.0390 2892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:11:24.0390 2892 Npfs - ok
22:11:24.0421 2892 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:11:24.0453 2892 Ntfs - ok
22:11:24.0515 2892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:11:24.0515 2892 Null - ok
22:11:24.0546 2892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:11:24.0546 2892 NwlnkFlt - ok
22:11:24.0578 2892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:11:24.0593 2892 NwlnkFwd - ok
22:11:24.0656 2892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:11:24.0656 2892 Parport - ok
22:11:24.0687 2892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:11:24.0687 2892 PartMgr - ok
22:11:24.0734 2892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:11:24.0734 2892 ParVdm - ok
22:11:24.0812 2892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:11:24.0812 2892 PCI - ok
22:11:24.0859 2892 PCIDump - ok
22:11:24.0937 2892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:11:24.0937 2892 PCIIde - ok
22:11:24.0984 2892 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:11:24.0984 2892 Pcmcia - ok
22:11:25.0015 2892 PDCOMP - ok
22:11:25.0046 2892 PDFRAME - ok
22:11:25.0093 2892 PDRELI - ok
22:11:25.0140 2892 PDRFRAME - ok
22:11:25.0171 2892 perc2 - ok
22:11:25.0203 2892 perc2hib - ok
22:11:25.0234 2892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:11:25.0250 2892 PptpMiniport - ok
22:11:25.0265 2892 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:11:25.0265 2892 PSched - ok
22:11:25.0296 2892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:11:25.0296 2892 Ptilink - ok
22:11:25.0343 2892 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:11:25.0343 2892 PxHelp20 - ok
22:11:25.0359 2892 ql1080 - ok
22:11:25.0375 2892 Ql10wnt - ok
22:11:25.0390 2892 ql12160 - ok
22:11:25.0406 2892 ql1240 - ok
22:11:25.0437 2892 ql1280 - ok
22:11:25.0468 2892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:11:25.0468 2892 RasAcd - ok
22:11:25.0515 2892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:11:25.0515 2892 Rasl2tp - ok
22:11:25.0546 2892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:11:25.0546 2892 RasPppoe - ok
22:11:25.0578 2892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:11:25.0578 2892 Raspti - ok
22:11:25.0625 2892 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:11:25.0625 2892 Rdbss - ok
22:11:25.0640 2892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:11:25.0640 2892 RDPCDD - ok
22:11:25.0703 2892 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:11:25.0718 2892 rdpdr - ok
22:11:25.0765 2892 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:11:25.0765 2892 RDPWD - ok
22:11:25.0812 2892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:11:25.0812 2892 redbook - ok
22:11:25.0843 2892 RTLWUSB - ok
22:11:25.0906 2892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:11:25.0906 2892 Secdrv - ok
22:11:25.0984 2892 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:11:25.0984 2892 serenum - ok
22:11:26.0046 2892 Serial (1929606c01949aea41633eddf743abb7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:11:26.0046 2892 Serial - ok
22:11:26.0156 2892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:11:26.0156 2892 Sfloppy - ok
22:11:26.0187 2892 Simbad - ok
22:11:26.0234 2892 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:11:26.0234 2892 SLIP - ok
22:11:26.0250 2892 Sparrow - ok
22:11:26.0296 2892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:11:26.0296 2892 splitter - ok
22:11:26.0343 2892 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:11:26.0343 2892 sr - ok
22:11:26.0421 2892 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:11:26.0421 2892 Srv - ok
22:11:26.0500 2892 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
22:11:26.0546 2892 STHDA - ok
22:11:26.0640 2892 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:11:26.0640 2892 streamip - ok
22:11:26.0687 2892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:11:26.0687 2892 swenum - ok
22:11:26.0750 2892 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:11:26.0765 2892 swmidi - ok
22:11:26.0796 2892 symc810 - ok
22:11:26.0812 2892 symc8xx - ok
22:11:26.0843 2892 sym_hi - ok
22:11:26.0875 2892 sym_u3 - ok
22:11:26.0890 2892 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:11:26.0890 2892 sysaudio - ok
22:11:26.0968 2892 Tcpip (4afb3b0919649f95c1964aa1fad27d73) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:11:26.0968 2892 Tcpip - ok
22:11:27.0000 2892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:11:27.0015 2892 TDPIPE - ok
22:11:27.0046 2892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:11:27.0046 2892 TDTCP - ok
22:11:27.0078 2892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:11:27.0078 2892 TermDD - ok
22:11:27.0109 2892 TosIde - ok
22:11:27.0140 2892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:11:27.0156 2892 Udfs - ok
22:11:27.0171 2892 ultra - ok
22:11:27.0203 2892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:11:27.0218 2892 Update - ok
22:11:27.0281 2892 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:11:27.0296 2892 usbaudio - ok
22:11:27.0312 2892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:11:27.0312 2892 usbccgp - ok
22:11:27.0375 2892 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:11:27.0375 2892 usbehci - ok
22:11:27.0406 2892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:11:27.0406 2892 usbhub - ok
22:11:27.0453 2892 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:11:27.0453 2892 USBSTOR - ok
22:11:27.0500 2892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:11:27.0500 2892 usbuhci - ok
22:11:27.0531 2892 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:11:27.0531 2892 usbvideo - ok
22:11:27.0562 2892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:11:27.0562 2892 VgaSave - ok
22:11:27.0578 2892 ViaIde - ok
22:11:27.0640 2892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:11:27.0640 2892 VolSnap - ok
22:11:27.0734 2892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:11:27.0734 2892 Wanarp - ok
22:11:27.0781 2892 WDICA - ok
22:11:27.0828 2892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:11:27.0828 2892 wdmaud - ok
22:11:27.0906 2892 winachsf (9c26534a3d2aa00352ffcd23bfef1399) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:11:27.0921 2892 winachsf - ok
22:11:28.0062 2892 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
22:11:28.0078 2892 WpdUsb - ok
22:11:28.0125 2892 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:11:28.0125 2892 WS2IFSL - ok
22:11:28.0203 2892 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:11:28.0203 2892 WSTCODEC - ok
22:11:28.0250 2892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:11:28.0250 2892 WudfPf - ok
22:11:28.0281 2892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:11:28.0296 2892 WudfRd - ok
22:11:28.0343 2892 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:11:28.0437 2892 \Device\Harddisk0\DR0 - ok
22:11:28.0453 2892 Boot (0x1200) (09094659f87ed6f19536ae950946c8d5) \Device\Harddisk0\DR0\Partition0
22:11:28.0453 2892 \Device\Harddisk0\DR0\Partition0 - ok
22:11:28.0453 2892 ============================================================
22:11:28.0453 2892 Scan finished
22:11:28.0453 2892 ============================================================
22:11:28.0468 2872 Detected object count: 0
22:11:28.0468 2872 Actual detected object count: 0


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-18 22:13:26
-----------------------------
22:13:26.390 OS Version: Windows 5.1.2600 Service Pack 3
22:13:26.390 Number of processors: 2 586 0xF02
22:13:26.390 ComputerName: OWNER UserName:
22:13:26.953 Initialize success
22:13:55.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:13:55.109 Disk 0 Vendor: ST3160815AS 3.AAC Size: 152627MB BusType: 3
22:13:57.125 Disk 0 MBR read successfully
22:13:57.125 Disk 0 MBR scan
22:13:57.125 Disk 0 Windows XP default MBR code
22:13:57.125 Disk 0 scanning sectors +156296385
22:13:57.171 Disk 0 scanning C:\WINDOWS\system32\drivers
22:14:03.562 Service scanning
22:14:04.656 Modules scanning
22:14:07.453 Module: C:\WINDOWS\system32\DRIVERS\serial.sys **SUSPICIOUS**
22:14:11.109 Disk 0 trace - called modules:
22:14:11.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ef5f10]<<
22:14:11.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87133ab8]
22:14:11.125 3 CLASSPNP.SYS[f762efd7] -> nt!IofCallDriver -> [0x86f87f08]
22:14:11.125 \Driver\00000581[0x87153d58] -> IRP_MJ_CREATE -> 0x86ef5f10
22:14:11.125 Scan finished successfully
22:14:21.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
22:14:21.750 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Edited by BreeLovesPc, 18 December 2011 - 10:15 PM.


#9 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 19 December 2011 - 05:01 PM

Omg....the pop up windows are back with a vengeance. In my earlier post I posted that after running rkill and then malwarebytes I saw no signs of the virus pop up scanning windows but now they're back and my computer is extremely lagging and slow. So the condition of my computer has worsened.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 PM

Posted 19 December 2011 - 09:14 PM

Please can you get an offline log from the master boot record as shown

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#11 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 19 December 2011 - 11:13 PM

Ok I followed the directions as indicated but for some odd reason when I when to attach the mbr.zip to my reply it stated that I am not permitted to upload this kind of file. I don't know whether or not this will help or whether it means anything but I found this mbr notepad file on my desktop. It won't let me attach that to my reply either, it's saying the same thing about not being permitted. Also I tried opening mbr.zip with winrar and it said that the file was corrupted so I'm not sure where I went wrong or what to do.

Edited by BreeLovesPc, 19 December 2011 - 11:18 PM.


#12 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 20 December 2011 - 11:22 AM

I don't mean to be impatience or anything because I do appreciate the generous help you guys are giving free and I do understand that you guys get overwhelmed at times but truth is my computer is going down more and more each day. I can't turn on my computer and be on or off line on it for more that 10 minutes before programs start to shut down, it gets laggy, and goes through periods of freezing. My pc's condition has worsen significantly. I've never seen it this bad before. Also it will not boot in any safe modes. Like I stated in an earlier post when I first encountered this virus I used rkill from the site and then ran malwarebytes and quarantined and deleted the infected items on 12/10/11. After rebooting my comoputer I saw no signs of the virus popping up scanning my computer posing as security. Then on 12/18/11 my browser froze up and shut down and I began to see it again. I did the same process of running rkill then malwarebytes and it went away for a day and was back the next. So apparently that process only keeps the virus at bay for a while, but it's still there affecting my computer.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 PM

Posted 20 December 2011 - 06:53 PM

Open the zip file and copy and paste the content of the file sda0.bin into your next post.
Posted Image
m0le is a proud member of UNITE

#14 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:50 PM

Posted 20 December 2011 - 10:51 PM

Okay....now I am confused. What zip file are you referring to? The mbr.zip file? If so I posted in a earlier post that I tried to do that with winrar and a error message popped up saying that the file was corrupted so I couldn't unzip it or do anything with it. And I'm not sure what you mean about the sda0.bin, do I go back into the xpud program?

Edited by BreeLovesPc, 20 December 2011 - 10:51 PM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:50 PM

Posted 21 December 2011 - 07:54 PM

Let's make sure the rogue has gone.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users