Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus?


  • This topic is locked This topic is locked
27 replies to this topic

#1 tide_belle

tide_belle

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 18 December 2011 - 08:27 AM

Hello, my computer is as follows:
Windows XP Home edition ver 2002 SP 3
Firefox 8.0
Web of Trust for Search Engine
I am also using NoScript and AdBlockerPlus for Firefox.

I do not use IE as my browser. My problem started about a week ago when I began receiving messages that said "Page not found" or "Server not found" when I tried to click on Yahoo Mail, Windows Live Mail or even other reputable sites that I have visited in the past. I noticed one time that the address showing was even pagenotfound.co during one of the times the browser gave me the "Page not Found" message. Yesterday I was browsing some store sites, KMart, Walmart, Target, Toys R Us. Then I did a specific search for an item and thought I was clicking on a disney store link when it was redirected to another site, but my WOT didn't allow it, so I cannot give you the address. I then checked my history list and did notice that in my history it showed three web pages that I know I didn't visit, but were showing up. emjcd.com, dpblovw.net, and apmebf.com. Since yesterday I have updated and ran SuperAntiSpyware and MBAM ran in regular vs safe mode and they both found nothing. I think if I do possibly have a redirect virus that I have caught it early on. I have had a nasty one in the past that changed some of my registry files, so I recognize some of the signs. I just hope that I have caught it early on. Thank you!

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 18 December 2011 - 05:27 PM

Hello tide_belle! :thumbsup:

My name is bloopie and I'll help you as best I can. Let's first get some scan logs so that I can better assist you:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Please be sure to include both the Result.txt log, as well as the GMER log in your next reply.

bloopie

Edited by bloopie reborn, 18 December 2011 - 05:57 PM.


#3 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 19 December 2011 - 05:48 PM

Hello bloopie! :thumbup2:
Here is a copy of my result log. Do I need to proceed with the GMER download now?

MiniToolBox by Farbar
Ran by Jodi (administrator) on 19-12-2011 at 16:35:09
Microsoft Windows XP Home Edition Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D7C1CCB1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-16-76-97-B8-75

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday, December 19, 2011 3:35:55 PM

Lease Expires . . . . . . . . . . : Monday, December 19, 2011 6:35:55 PM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.159.106, 74.125.159.104, 74.125.159.99, 74.125.159.103
74.125.159.105, 74.125.159.147



Pinging google.com [74.125.159.99] with 32 bytes of data:



Reply from 74.125.159.99: bytes=32 time=29ms TTL=52

Reply from 74.125.159.99: bytes=32 time=32ms TTL=52



Ping statistics for 74.125.159.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 29ms, Maximum = 32ms, Average = 30ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=75ms TTL=52

Reply from 209.191.122.70: bytes=32 time=73ms TTL=52



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 73ms, Maximum = 75ms, Average = 74ms

Server: UnKnown
Address: 192.168.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 76 97 b8 75 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 20
192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 20
224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 20
255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/17/2011 09:47:48 PM) (Source: Microsoft Office 11) (User: )
Description: Rejected Safe Mode action : Microsoft Office Word.

Error: (12/14/2011 09:43:06 AM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (12/13/2011 03:32:36 PM) (Source: McLogEvent) (User: )
Description: The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

Error: (12/13/2011 03:32:02 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2316 (0x90c)

Thread address : 0x7C90E514

Thread message :

Build VSCORE.13.3.2.128 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\Engine\avvclean.dat
by C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (12/10/2011 00:27:02 PM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (12/08/2011 02:17:47 PM) (Source: McLogEvent) (User: )
Description: The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;

Error: (12/08/2011 02:17:20 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 3052 (0xbec)

Thread address : 0x7C90E514

Thread message :

Build VSCORE.13.3.2.128 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\Engine\avvclean.dat
by C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (12/07/2011 06:07:41 AM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (12/07/2011 06:07:38 AM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (11/29/2011 04:09:00 PM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.


System errors:
=============
Error: (12/15/2011 01:56:40 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/14/2011 06:21:34 PM) (Source: Service Control Manager) (User: )
Description: The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Error: (12/14/2011 06:21:33 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Error: (12/14/2011 06:20:10 PM) (Source: Service Control Manager) (User: )
Description: The lxdnCATSCustConnectService service failed to start due to the following error:
%%1053

Error: (12/14/2011 06:20:10 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxdnCATSCustConnectService service to connect.

Error: (12/14/2011 06:18:24 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {D3580208-D4E1-46D4-876C-B45A328AF25A} did not register with DCOM within the required timeout.

Error: (12/14/2011 06:17:57 PM) (Source: Service Control Manager) (User: )
Description: The dlcc_device service terminated unexpectedly. It has done this 1 time(s).

Error: (12/14/2011 06:17:57 PM) (Source: Service Control Manager) (User: )
Description: The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).

Error: (12/14/2011 06:17:57 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).

Error: (12/14/2011 06:17:57 PM) (Source: Service Control Manager) (User: )
Description: The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (12/17/2011 09:47:48 PM) (Source: Microsoft Office 11)(User: )
Description: Microsoft Office WordWord failed to start correctly last time. Starting Word in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.

Do you want to start Word in safe mode?

Error: (12/14/2011 09:43:06 AM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (12/13/2011 03:32:36 PM) (Source: McLogEvent)(User: )
Description: 5

Error: (12/13/2011 03:32:02 PM) (Source: McLogEvent)(User: SYSTEM)SYSTEM
Description: C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe900002316 (0x90c)0x7C90E514
Build VSCORE.13.3.2.128 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\Engine\avvclean.dat
by C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (12/10/2011 00:27:02 PM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (12/08/2011 02:17:47 PM) (Source: McLogEvent)(User: )
Description: 5

Error: (12/08/2011 02:17:20 PM) (Source: McLogEvent)(User: SYSTEM)SYSTEM
Description: C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe900003052 (0xbec)0x7C90E514
Build VSCORE.13.3.2.128 / 5400.1158
Object being scanned = \Device\HarddiskVolume2\Program Files\Common Files\McAfee\Engine\avvclean.dat
by C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Error: (12/07/2011 06:07:41 AM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (12/07/2011 06:07:38 AM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (11/29/2011 04:09:00 PM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.


=========================== Installed Programs ============================

924PLC32 (Version: 1.0.0)
ABBYY FineReader 6.0 Sprint (Version: 6.00.1395.41612)
Ad-Aware (Version: 9.5.0)
Ad-Aware (Version: 9.6.0)
Ad-Aware Security Toolbar (Version: 0.9.1.8)
Adobe AIR (Version: 2.0.4.13090)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Adobe Shockwave Player 11.6 (Version: 11.6.1.629)
Adobe® Photoshop® Album Starter Edition 3.0 (Version: 3.00.000)
Adventures in Typing with Timon and Pumbaa (Version: 1.0)
AOLIcon (Version: 1.00.0000)
Apple Application Support (Version: 2.1.5)
Apple Software Update (Version: 2.1.3.127)
Awakening: Moonfell Wood
Big Fish Games: Game Manager (Version: 2.0.0.28)
Bonjour (Version: 1.0.106)
Clifford Phonics
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Conexant D850 56K V.9x DFVc Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool (Version: 1.02.0000)
Dell Photo AIO Printer 924
Dell Support Center (Support Software) (Version: 2.2.09085)
Dell System Restore (Version: 2.00.0000)
DellSupport (Version: 6.0.3062)
Digital Content Portal (Version: 1.00.0000)
Digital Line Detect (Version: 1.10)
Documentation & Support Launcher (Version: 1.00.0000)
Dragon Tales
Dream Chronicles ™ 2: The Eternal Maze
Dream Chronicles: The Book of Air
Dream Chronicles: The Chosen Child
ELIcon (Version: 1.00.0000)
ESET Online Scanner v3
Finding Nemo: Nemo's Underwater World of Fun Special Edition (Version: 1.00.0000)
Get High Speed Internet! (Version: 1.00.0000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.79)
HijackThis 1.99.1 (Version: 1.99.1)
Hodgepodge Hollow
Intel® Extreme Graphics 2 Driver (Version: 6.14.10.4396)
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections (Version: 8.00.5000)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
LeapFrog Connect (Version: 2.9.1.11093)
LeapFrog Didj Plugin (Version: 2.8.7.11034)
Learn2 Player (Uninstall Only)
Lexmark 2600 Series
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.14.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee VirusScan Enterprise (Version: 8.6.0)
MCU (Version: 1.00.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper (Version: 2.40)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
MSN
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NetWaiting (Version: 2.5.12)
Panda ActiveScan
Pencil-Pal Kindergarten
QuickTime (Version: 7.71.80.42)
Reading Readiness K-1
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealUpgrade 1.1 (Version: 1.1.0)
Roxio DLA (Version: 5.2.0)
Roxio RecordNow Audio (Version: 2.0.4)
Roxio RecordNow Copy (Version: 2.0.4)
Roxio RecordNow Data (Version: 2.0.4)
Scholastic's I SPY Junior
Search Assist (Version: 1.00.0000)
Segoe UI (Version: 14.0.4327.805)
Sonic Activation Module (Version: 1.0)
Sonic Update Manager (Version: 3.0.0)
SoundMAX (Version: 5.12.01.7000)
Spybot - Search & Destroy (Version: 1.6.2)
SpywareBlaster 4.4 (Version: 4.4.0)
SUPERAntiSpyware Free Edition (Version: 3.9.0.1008)
swMSM (Version: 12.0.0.1)
Transition Math K-1
Uninstall Best Reading Program
URL Assistant
Use the entry named LeapFrog Connect to uninstall (LeapFrog Didj Plugin)
Virtools 3D Life Player (Version: 4.0.0.x)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
Wandering Willows
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Family Safety (Version: 14.0.8093.805)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinPatrol (Version: 19.3.2010.5)
Xiph QuickTime Components

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 61%
Total physical RAM: 1021.98 MB
Available physical RAM: 393.57 MB
Total Pagefile: 1537.74 MB
Available Pagefile: 711.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.03 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:52.7 GB) (Free:32.17 GB) NTFS
2 Drive d: (Backup) (Fixed) (Total:18.61 GB) (Free:18.54 GB) NTFS

========================= Users: ========================================

User accounts for \\D7C1CCB1

Administrator Guest HelpAssistant
Jodi SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 19 December 2011 - 09:30 PM

Hi again,

Yes, please proceed with the GMER log as previously instructed next.


bloopie

#5 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 20 December 2011 - 07:21 PM

Okay, here is the GMER log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-20 18:16:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3802110A rev.3.ADH
Running: s16urbm4.exe; Driver: C:\DOCUME~1\Jodi\LOCALS~1\Temp\pwlyapog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75E687E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75E6BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEA0D640]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED980ABD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED980AE7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED980A51]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED980A7D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED980B11]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED980A27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED980AD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED980A67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED980AA9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED980B27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED980AFB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP ED980AFF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568F68 5 Bytes JMP ED980A2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F864 5 Bytes JMP ED980AC1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80574E58 7 Bytes JMP ED980AD5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A81E 5 Bytes JMP ED980B2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057AC99 7 Bytes JMP ED980B15 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805839B9 5 Bytes JMP ED980AAD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80595C1A 7 Bytes JMP ED980A81 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80597FFA 7 Bytes JMP ED980A55 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B1BEA 5 Bytes JMP ED980AEB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064F526 7 Bytes JMP ED980A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6F33F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA004E
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F79
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F94
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA008B
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA007A
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00C4
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F21
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0069
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F32
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCD
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006F
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093004A
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920050
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092003F
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092002E
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FD9
.text C:\WINDOWS\system32\svchost.exe[320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[320] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[320] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[320] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[320] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00900047
.text C:\WINDOWS\system32\svchost.exe[320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F68
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F1A
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070ED3
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070EEE
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EC2
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F09
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 000600AC
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060091
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060076
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005002F
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FAB
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0093
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0082
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0071
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F77
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00BF
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00FC
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00EB
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA010D
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00A4
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA001E
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00DA
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9005E
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90FA1
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FB2
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80FC1
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80027
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80038
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\lsass.exe[692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D900A4
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90089
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D9006C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9002F
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D900C1
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F79
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90108
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900ED
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90123
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90014
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FC3
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900D2
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80014
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80076
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FC3
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80065
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80040
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D8002F
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D7002E
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FAD
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D7001D
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D7000C
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC8
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FE3
.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F9E
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0089
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC006C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0FAF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0040
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC0F5C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F83
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC0F30
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0F4B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC0F1F
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0051
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC00A4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC00C9
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0073
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0062
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EB, 88] {JMP 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB0047
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0055
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0044
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0029
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0018
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C90FEF
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C90089
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C90078
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C90F9E
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C90FB9
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C90040
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C90F57
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C90F68
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C90F24
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C90F35
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C90F13
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C9005B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C90FDE
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C90F79
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C9001B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C9000A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C90F46
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C80FC3
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C80062
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C80FD4
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C8000A
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C80051
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C80FEF
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02C80040
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C8002F
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0288005D
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 02880FC8
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02880FE3
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02880000
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02880038
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02880011
.text C:\WINDOWS\System32\svchost.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02440000
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 02430000
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 02430011
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 02430022
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 0243003D
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F73
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0077005E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F84
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770FA1
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770039
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007700A0
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770079
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00770F18
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00770F33
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007700D6
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00770FB2
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770FDE
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770F4E
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770028
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FCD
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007700B1
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760FBC
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760057
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FCD
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FDE
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760F90
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00760028
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FAB
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0075006E
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750053
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0075002E
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FE3
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0075001D
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01080FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01080F62
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0108004D
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01080F73
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01080F90
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01080FAB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01080F36
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01080F47
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010800AA
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0108008F
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010800BB
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01080032
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01080FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01080072
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01080FBC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01080FCD
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!WinExec 7C86250D 1 Byte [E9]
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01080F11
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070FB2
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01070043
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01070FC3
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01070F86
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01070032
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FA1
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060FCD
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060FDE
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060044
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01060FEF
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060029
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01050000
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] WinInet.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 017A000A
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] WinInet.dll!InternetOpenW 3D95DB21 5 Bytes JMP 017A001B
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] WinInet.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 017A002C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1248] WinInet.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 017A003D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0FA5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C009A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0089
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C006C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C00DC
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00BF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F5E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00F7
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0F43
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F94
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0047
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C002C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F6F
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F79
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F8A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B0036
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F92
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FAD
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A000C
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FEF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0093
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0078
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A005B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0040
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0FB2
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A00DC
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A00BF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0123
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0108
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A0F6F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A002F
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FDE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A00AE
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A001E
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FCD
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A00ED
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 00690FCA
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 00690F8A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 0069001B
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690FE5
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690047
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 0069000A
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00690036
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690FAF
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680F81
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680F9C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FC8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680000
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680FB7
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680FE3
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00670000
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690FEF
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690067
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690F72
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690F83
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01690F9E
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0169002C
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01690F46
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01690F57
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016900BD
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690F24
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01690EFF
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690FAF
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01690000
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01690082
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01690011
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01690FC0
.text C:\WINDOWS\Explorer.EXE[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01690F35
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0168001B
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0168005B
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01680FD4
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0168000A
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01680F9E
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01680FEF
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01680040
.text C:\WINDOWS\Explorer.EXE[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01680FAF
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01670F88
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 01670FA3
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01670FE3
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0167000C
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01670FC8
.text C:\WINDOWS\Explorer.EXE[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0167001D
.text C:\WINDOWS\Explorer.EXE[1508] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 01660FEF
.text C:\WINDOWS\Explorer.EXE[1508] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 01660000
.text C:\WINDOWS\Explorer.EXE[1508] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 01660011
.text C:\WINDOWS\Explorer.EXE[1508] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 01660FC0
.text C:\WINDOWS\Explorer.EXE[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A40000
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80071
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80056
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80045
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F7C
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80014
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B8008C
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F44
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800C2
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F33
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800DD
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80F97
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F61
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800B1
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B7002F
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B7005B
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B7004A
.text C:\WINDOWS\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70FC3
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60033
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60018
.text C:\WINDOWS\system32\svchost.exe[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F55
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F04
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00B8
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0080
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029005B
.text C:\WINDOWS\System32\svchost.exe[3788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FDE
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0047
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FBC
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0022
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FD7
.text C:\WINDOWS\System32\svchost.exe[3788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[3788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 20 December 2011 - 09:09 PM

Hi again,

I know you're not using your Internet Explorer normally, but try it. Do you have the same problems in IE as well as FireFox, or is FF the only trouble?

bloopie

#7 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 21 December 2011 - 10:02 AM

I'll try IE, but I normally do not use it due to the numerous security issues and virus attacks. Are you seeing anything on the logs?

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 21 December 2011 - 05:14 PM

Hi again,

The logs aren't showing any malware exactly. I'd like to know if FF is the only browser that is being redirected as that could point the correct direction for us to take. :thumbup2:

Internet Explorer does have some security issues, but you're only testing it for me. See if you get redirected when trying to go to Target, Wallmart etc....

bloopie

#9 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 21 December 2011 - 05:16 PM

I will try it and report back.

#10 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 21 December 2011 - 05:46 PM

Okay, I've just tried IE and no re-directs, no "page not found" or "server not found" but it was VERY slow and lagged severely. I came back to FF to post this reply and when I clicked on the site's link in my history, I received a "Firefox cannot connect to the server". I hit F5 to refresh and the page loaded correctly. I have not had any more redirects, but here are some other problems I'm seeing. The pages in IE and FF are not loading correctly, for example the words on the page are overlapping, some of the pictures are not downloading and the pages just look funny, but the problem is corrected when I refresh.

Now when you say "The logs aren't showing any malware exactly." you have me worried. I can hear you emphasizing the word exactly.

Let me know if you need me to try anything else. I hope this is enough detailed information.

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 21 December 2011 - 06:34 PM

Hi again,

Sorry about that, no the logs look clean! :)

I'd like you to try and run FF in safemode and see if the problem persists:

Follow the instructions in this link: http://support.mozilla.com/en-US/kb/Safe%20Mode

bloopie

Edited by bloopie reborn, 21 December 2011 - 07:08 PM.


#12 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 22 December 2011 - 08:58 AM

Hello again,

It's okay about that. I am now breathing a sigh of relief B)

I am running Firefox in safe mode and there are no problems with loading any of the pages.

Okay, scratch the no problem with no add-ons. I just did a search using WOT and I had to refresh it 3 times before it finally loaded the page correctly.

Edited by tide_belle, 22 December 2011 - 09:41 AM.


#13 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 22 December 2011 - 10:30 AM

I don't know if this helps or not, but I'm attempting to watch youtube videos and they are choppy and keep skipping.

#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:03:03 AM

Posted 22 December 2011 - 12:41 PM

Hi again,

It seems FF may have a bad add-on or CLSID. Let's try this:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

bloopie

#15 tide_belle

tide_belle
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:01:03 AM

Posted 22 December 2011 - 12:48 PM

I also wanted to add that when I tried playing music in Windows Media Player, the sound was choppy and dragging.

Here's the Goored log.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 11:50 on 22/12/2011 (Jodi)
Firefox version 8.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:34 12/11/2010]
{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} [11:34 19/10/2011]

C:\Documents and Settings\Jodi\Application Data\Mozilla\Firefox\Profiles\0dgnvtoz.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [04:03 14/11/2010]
{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [23:09 18/11/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:29 04/03/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:29 08/12/2010]

-=E.O.F=-

Edited by tide_belle, 22 December 2011 - 12:51 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users