Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've got the redirect virus


  • Please log in to reply
39 replies to this topic

#1 crlin

crlin

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 05 January 2012 - 03:03 AM

Well, this is my first post here. I seem to have the google redirect virus - can't use search engines without being redirected to incorrect sites. On top of that I just fell for a possible scam by purchasing a program called Fix Redirect Virus. When I went to download it McAfee gave me the "do you really want to go there" warning. Strange that it did not detect a problem on their site before I purchased it. Anyway, idiot move aside, here is what I have done so far: Ran HitmanPro which found a Rootkit Rootkit.win32,Zaccess!IK. It quarantened it which was the only option. I ran it again today though and it found and quarantened the same thing! I ran Kaspersky TDSS killer and it only finds a locked file service SPTD which was quarantened as the only option. I ran Malware Bites and it found: Rogue.WinAnti...., Pum disabled.s..... 5 times, and Hijack, Start Menu, all of which it quarantened. This is the same thing I got when I ran it again the next day. It also seems that data is constantly going in and out when I have the network connected to infected computer. I'm not sure what to do next! I will be in and out tomorrow, so my replies may be slow. Thanks for any help you can give!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 05 January 2012 - 09:42 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 06 January 2012 - 04:56 AM

Got them downloaded and will try to run them tomorrow - thank you for your patience.

#4 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 06 January 2012 - 04:45 PM

should I be online for the first 4 tests? I have the computer off line to avoid further problems.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 06 January 2012 - 04:47 PM

You need to be online only to update MBAM.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 06 January 2012 - 05:42 PM

Here are the results of the tests:

Security Check:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
McAfee SecurityCenter
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 23
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (3.6.25) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Farbar:

Farbar Service Scanner
Ran by Carolyn (administrator) on 06-01-2012 at 13:36:41
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Mini Toolbox:

MiniToolBox by Farbar
Ran by Carolyn (administrator) on 06-01-2012 at 13:40:03
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "127.0.0.1"
"network.proxy.type", 0
Hosts file not detected in the default directory
========================= IP Configuration: ================================

Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller = Local Area Connection (Disconnected)
1394 Net Adapter = 1394 Connection 2 (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Intel® PRO/1000 PM Network Connection = Local Area Connection 3 (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Carolyn

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 3:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/1000 PM Network Connection #2

Physical Address. . . . . . . . . : 00-00-D4-C2-94-30

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 d4 c2 94 30 ...... Intel® PRO/1000 PM Network Connection #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (01/04/2012 01:16:45 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (01/06/2012 02:21:30 AM) (Source: Print) (User: Carolyn)
Description: The document misp://mscjsres.dll::reportframe.html/ owned by Carolyn failed to print on printer Canon MP980 series Printer. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\CAROLYN. Win32 error code returned by the print processor: misp://mscjsres.dll::reportframe.html/0. misp://mscjsres.dll::reportframe.html/1

Error: (01/05/2012 06:36:11 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {209500FC-6B45-4693-8871-6296C4843751} did not register with DCOM within the required timeout.

Error: (01/04/2012 01:14:47 PM) (Source: DCOM) (User: Video Edit)
Description: DCOM got error "%%1055" attempting to start the service iPod Service with arguments "-Service"
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (01/04/2012 01:14:47 PM) (Source: DCOM) (User: Video Edit)
Description: DCOM got error "%%1055" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (01/04/2012 01:14:47 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1055" attempting to start the service McAfee SiteAdvisor Service with arguments ""
in order to run the server:
{5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error: (01/04/2012 01:14:47 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1055" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/04/2012 01:14:47 PM) (Source: DCOM) (User: Video Edit)
Description: DCOM got error "%%1055" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/03/2012 04:17:03 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1055" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error: (01/03/2012 04:17:03 PM) (Source: DCOM) (User: Carolyn)
Description: DCOM got error "%%1055" attempting to start the service iPod Service with arguments "-Service"
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (01/03/2012 04:17:03 PM) (Source: DCOM) (User: Carolyn)
Description: DCOM got error "%%1055" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}


Microsoft Office Sessions:
=========================
Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:18:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (01/04/2012 01:16:45 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/04/2012 01:16:38 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.


=========================== Installed Programs ============================

ABBYY FineReader 5.0 Sprint Plus (Version: 5.0.0.3501)
ACDSee 10 Photo Manager (Version: 10.0.243)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe Acrobat 4.0 (Version: 4.0)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Common File Installer (Version: 1.00.002)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Help Center 2.1 (Version: 2.1)
Adobe PhotoDeluxe Home Edition 4.0 (Version: 4.0)
Adobe Premiere Elements 3.0 (Version: 3.0.0)
Adobe Premiere Elements 3.0 Templates (Version: 1.0.0)
Adobe Reader 9.4.7 (Version: 9.4.7)
Adobe® Photoshop® Album Starter Edition 3.0 (Version: 3.00.000)
AMP Font Viewer
APC PowerChute Personal Edition
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
ArcSoft PhotoStudio 5.5
ArtRage 2.2 Free
AT&T Toolbar
AT&T Yahoo! Applications
Belarc Advisor 8.1
Bonjour (Version: 3.0.0.2)
Canon Camera Access Library (Version: 8.1.1.17)
Canon Camera Support Core Library (Version: 7.3.1.6)
Canon Camera Window DC_DV 5 for ZoomBrowser EX (Version: 5.4.5.17)
Canon Camera Window DC_DV 6 for ZoomBrowser EX (Version: 6.2.0.8)
Canon Camera Window MC 6 for ZoomBrowser EX (Version: 6.1.0.7)
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.0
Canon MP980 series MP Drivers
Canon MP980 series User Registration
Canon RAW Image Task for ZoomBrowser EX (Version: 2.4.0.7)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.5.0.5)
Canon Utilities Digital Photo Professional 2.2 (Version: 2.2.0.1)
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Easy-PhotoPrint Pro
Canon Utilities EOS Utility (Version: 1.1.0.8)
Canon Utilities My Printer
Canon Utilities PhotoStitch (Version: 3.1.18.42)
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX (Version: 5.7.0.74)
ClearType Tuning Control Panel Applet (Version: 1.01.0000)
Corel Paint Shop Pro Photo XI (Version: 11.20.0000)
Corel Paint Shop Pro X (Version: 10.03)
CP_Package_Variety1 (Version: 53.0.13.000)
CP_Package_Variety2 (Version: 53.0.13.000)
CP_Package_Variety3 (Version: 53.0.13.000)
Creating Keepsakes Scrapbook Designer (Version: 1.00.0000)
Creative Delights Companion Sampler (Version: 10.0.0.0)
Creative System Information
Data Lifeguard Tools
EPSON Copy Utility 3 (Version: 3.1.0.0)
EPSON Perf 4990 Guide
EPSON Scan
EPSON SMART PANEL for Scanner
Family Tree Maker
FileZilla Client 3.4.0 (Version: 3.4.0)
Flickr Uploadr 3.0.5
Garmin Communicator Plugin (Version: 3.0.1)
Garmin USB Drivers (Version: 2.3.0.0)
GdiplusUpgrade (Version: 1.00.01)
Genline FamilyFinder 2 (Version: 2.3.6)
Google Earth (Version: 4.3.7191.6508)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
Intel® PRO Network Connections Drivers
InterVideo Launcher
InterVideo WinDVD (Version: 5.0-B11.635)
iTunes (Version: 10.4.1.10)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 2 (Version: 1.6.0.20)
Java™ 6 Update 23 (Version: 6.0.230)
Java™ 6 Update 3 (Version: 1.6.0.30)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)
Legacy Chart 7.0
Lettering Delights Supreme Download (Version: 9.0.3.78)
Linksys EasyLink Advisor 1.5 (1032)
Logitech Desktop Messenger
Logitech MouseWare 9.79
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
McAfee SecurityCenter (Version: 10.5.247)
MediaCoder 0.6.1 (Version: 0.6.1)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Digital Image Library 9 - Blocker (Version: 9.00.0000)
Microsoft Digital Image Standard 2006 (Version: 11.0.0422)
Microsoft Digital Image Standard 2006 Editor (Version: 11.0.0422)
Microsoft Digital Image Standard 2006 Library (Version: 11.0.0422)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer (Version: 1.5.2316.0)
Microsoft Word 2002 (Version: 10.0.2627.01)
Microsoft Works (Version: 08.05.0818)
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word (Version: 8.0.0.0000)
Mozilla Firefox (3.6.25) (Version: 3.6.25 (en-US))
MSN Messenger 7.5 (Version: 7.5.0299.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
MyFonts Order M532240 (Version: 1.0)
Nero - Burning Rom (Version: 5.5.9)
NVIDIA Drivers
Paragon Drive Copy 9.0 Personal Special Edition
PC Probe II (Version: 1.00.36)
pcHugBug Browser Deluxe
pcHugWare AutoUpdater
QuickTime (Version: 7.70.80.34)
Realtek High Definition Audio Driver
Seagate Manager Installer (Version: 2.01.0048)
SilverFast Epson-SE
SilverFast SE CD Documentation 6.2.0
Sound Blaster Audigy 2 ZS
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
Tablet
TextBridge Pro 8.0
USB Safely Remove 4.7
Walmart MP3 Music Downloads (Version: 1.5.0.7)
WD Diagnostics (Version: 1.07.0000)
WebFldrs XP (Version: 9.50.6513)
Windows 7 Upgrade Advisor Beta (Version: 2.0.1125.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) (Version: 06/03/2009 2.3.0.0)
Windows Genuine Advantage v1.3.0254.0 (Version: 1.3.0254.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
Windows Media Format 11 runtime
Windows Media Hotfix - KB895181
Windows Media Player 10 Hotfix - KB888656
Windows Media Player 10 Hotfix - KB892313
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinZip (Version: 11.1 (7466))
WinZip 11.1 (Version: 11.1.7466)
WinZip Internet Browser Support
Wisdom-soft ScreenHunter 5.0 Free
Wisdom-soft Toolbar (Version: )
Works Upgrade (Version: 8.0.0.0000)
Yahoo! Toolbar

========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 2047.04 MB
Available physical RAM: 1594.91 MB
Total Pagefile: 3942.64 MB
Available Pagefile: 3406.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1980.63 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:232.88 GB) (Free:61.82 GB) NTFS
3 Drive d: () (Fixed) (Total:372.61 GB) (Free:24.52 GB) NTFS
6 Drive g: (DRV4_VOL1) (Fixed) (Total:931.51 GB) (Free:64.82 GB) NTFS
7 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
8 Drive i: () (Removable) (Total:1.91 GB) (Free:1.38 GB) FAT

========================= Users: ========================================

User accounts for \\CAROLYN

Administrator ASPNET Carolyn
Guest HelpAssistant SUPPORT_388945a0
Video Edit


**** End of log ****

MWB:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Carolyn :: CAROLYN [administrator]

1/6/2012 2:13:48 PM
mbam-log-2012-01-06 (14-13-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220005
Time elapsed: 12 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I am getting ready to run GMER now. MWB did find a couple of things the first day I ran it, but it did not help the problem.

#7 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 06 January 2012 - 08:19 PM

Still running GMER! Sure takes a long time!

#8 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 06 January 2012 - 11:56 PM

Here is the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-06 20:52:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 WDC_WD2500JD-00HBC0 rev.08.02D08
Running: qreb9qrd.exe; Driver: C:\DOCUME~1\Carolyn\LOCALS~1\Temp\pxldqpog.sys


---- System - GMER 1.0.15 ----

SSDT spxx.sys ZwCreateKey [0xF74D70E0]
SSDT spxx.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spxx.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spxx.sys ZwOpenKey [0xF74D70C0]
SSDT spxx.sys ZwQueryKey [0xF74F6108]
SSDT spxx.sys ZwQueryValueKey [0xF74F5F88]
SSDT spxx.sys ZwSetValueKey [0xF74F619A]

INT 0x62 ? 8B09FBF8
INT 0x63 ? 8ABEEBF8
INT 0x73 ? 8B111BF8
INT 0x84 ? 8ABEEBF8
INT 0xA4 ? 8B09FBF8
INT 0xA4 ? 8B09FBF8
INT 0xB4 ? 8B111BF8
INT 0xB4 ? 8ABEEBF8
INT 0xB4 ? 8B111BF8

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xBA70422A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBA704256]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA7042AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xBA7041D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xBA7041E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xBA704240]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xBA704282]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBA7042D6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA7042C2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA704296]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515AB2 7 Bytes JMP BA70429A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A7A9 5 Bytes JMP BA7042C6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057AC21 7 Bytes JMP BA7042B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8057F93A 5 Bytes JMP BA7041D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E8B1 5 Bytes JMP BA7042DA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80596743 5 Bytes JMP BA7041EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805991E8 7 Bytes JMP BA70425A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 8059A5C9 7 Bytes JMP BA70422E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 805E8694 5 Bytes JMP BA704286 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8065684C 7 Bytes JMP BA704244 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? spxx.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95A2360, 0x20469D, 0xE8000020]
.text USBPORT.SYS!DllUnload B95308AC 5 Bytes JMP 8ABEE1D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\System32\svchost.exe[268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F4006C
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F6D
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40051
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40040
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40014
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F4008E
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F46
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400A9
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F10
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F400C4
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F4002F
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4007D
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40FA8
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\System32\svchost.exe[268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40F21
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F8005B
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80025
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80F9E
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\System32\svchost.exe[268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70FB4
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F7003F
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F7002E
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FD9
.text C:\WINDOWS\System32\svchost.exe[268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F7001D
.text C:\WINDOWS\System32\svchost.exe[268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[580] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[580] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB002C
.text C:\WINDOWS\System32\svchost.exe[580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB0011
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0089
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0078
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F9E
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0051
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F79
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00BF
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F4D
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F5E
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0F28
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0040
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA00AE
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA001B
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA000A
.text C:\WINDOWS\System32\svchost.exe[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA00DC
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C9001B
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C9000A
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90FA5
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C90047
.text C:\WINDOWS\System32\svchost.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90036
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60053
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60042
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FD2
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60027
.text C:\WINDOWS\System32\svchost.exe[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60FE3
.text C:\WINDOWS\System32\svchost.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003A001B
.text C:\WINDOWS\system32\services.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F46
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC003B
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F61
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F72
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0078
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0067
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC009A
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F0B
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00AB
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F83
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0056
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0089
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70047
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D70F94
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F7, 88]
.text C:\WINDOWS\system32\services.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D70FA5
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60FAD
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60038
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60016
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60027
.text C:\WINDOWS\system32\services.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60FD2
.text C:\WINDOWS\system32\services.exe[1148] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F55
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F66
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F8D
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F5004A
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50080
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F44
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50EE7
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50EF8
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50ED6
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50F9E
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F5006F
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F1D
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40F75
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40014
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40F86
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F40F97
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [14, 89] {ADC AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FB2
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F3004E
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30FCD
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F3003D
.text C:\WINDOWS\system32\lsass.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F3000C
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7008C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70071
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F8D
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F7004A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FAF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F7C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F700B8
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700E9
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70F50
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70104
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F7009D
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F70F61
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F60FA5
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60FB6
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60FDB
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60058
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50F9C
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50027
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50FC1
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50016
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50FD2
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50F7C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50071
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50F97
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50054
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500A0
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F5A
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F22
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F33
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50EFD
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F6B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C500BB
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F57
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F72
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0F8D
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FA8
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0033
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FD7
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C40FE5
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02C4000A
.text C:\WINDOWS\System32\svchost.exe[1488] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02C40FD4
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03640000
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0364008E
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03640073
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03640062
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03640FAF
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0364003D
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03640F61
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 036400A9
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 036400E9
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03640F50
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03640F35
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03640FC0
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0364001B
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03640F88
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0364002C
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03640FDB
.text C:\WINDOWS\System32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 036400CE
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03630036
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03630FAF
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0363001B
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03630FEF
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03630FC0
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03630000
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03630062
.text C:\WINDOWS\System32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03630047
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0362003B
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 03620FA6
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03620FC1
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03620FEF
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03620016
.text C:\WINDOWS\System32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03620FDE
.text C:\WINDOWS\System32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02C60000
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02C70FE5
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02C70000
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02C70FC8
.text C:\WINDOWS\System32\svchost.exe[1488] WININET.dll!InternetOpenUrlW 771D5B9A 5 Bytes JMP 02C70FB7
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0063001E
.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F6B
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F86
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0066005E
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660FAB
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660043
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F4E
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660096
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F29
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600C2
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660F18
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660FBC
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FDE
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0066007B
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0066001E
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660FCD
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006600B1
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650040
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650076
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650065
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640F92
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 0064001D
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FD2
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FAD
.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0064000C
.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00790036
.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0079001B
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0F92
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0FA3
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D007D
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D006C
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D0036
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D0F64
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D0F75
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D0F49
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D00D8
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D00FD
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D005B
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D000A
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D00AC
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0FCA
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D001B
.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D00C7
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007C0FC3
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007C006F
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007C0FD4
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007C004A
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007C0000
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007C0039
.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007C0FB2
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007B0F8B
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!system 77C293C7 5 Bytes JMP 007B0FA6
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007B0FD2
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007B000C
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007B0FC1
.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\System32\svchost.exe[1612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009D0000
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D0FDB
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10FAF
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1007D
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10047
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F66
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F83
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100EE
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F55
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80AE40 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F44
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10058
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10011
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A100AE
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A1002C
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A100C9
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00025
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F79
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00F94
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00FB9
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00040
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F006E
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F005D
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0038
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F000C
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FE3
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F001D
.text C:\WINDOWS\System32\svchost.exe[1660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0000
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910FDE
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1888] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900091
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F9C
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900076
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0090005B
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F53
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F70
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000DB
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000C0
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F27
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FB9
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F81
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900040
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[1888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F42
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D005B
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0040
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009D0F9E
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 88]
.text C:\WINDOWS\System32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0025
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009C002C
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!system 77C293C7 5 Bytes JMP 009C001B
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009C0FAB
.text C:\WINDOWS\System32\svchost.exe[1888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009C0FC6
.text C:\WINDOWS\System32\svchost.exe[1888] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[1888] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1888] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0093001B
.text C:\WINDOWS\System32\svchost.exe[1888] WININET.dll!InternetOpenUrlW 771D5B9A 5 Bytes JMP 00930FC8
.text C:\WINDOWS\System32\svchost.exe[1888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
.text C:\WINDOWS\Explorer.EXE[2256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02BC0FEF
.text C:\WINDOWS\Explorer.EXE[2256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02BC0FCD
.text C:\WINDOWS\Explorer.EXE[2256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02BC0FDE
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02BB0FEF
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02BB0F3F
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02BB0F5A
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02BB0F6B
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02BB001E
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02BB0F97
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02BB007D
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02BB0062
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02BB0EEE
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02BB0EFF
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02BB0EDD
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02BB0F86
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02BB0FD4
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02BB0045
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02BB0FB2
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02BB0FC3
.text C:\WINDOWS\Explorer.EXE[2256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02BB0F1A
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BA002C
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BA0F91
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BA0011
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BA0000
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BA004E
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BA0FE5
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02BA0FAC
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 8A]
.text C:\WINDOWS\Explorer.EXE[2256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BA003D
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0058
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB0029
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\Explorer.EXE[2256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0018
.text C:\WINDOWS\Explorer.EXE[2256] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\Explorer.EXE[2256] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[2256] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00CA0FB7
.text C:\WINDOWS\Explorer.EXE[2256] WININET.dll!InternetOpenUrlW 771D5B9A 5 Bytes JMP 00CA0FA6
.text C:\WINDOWS\Explorer.EXE[2256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\Program Files\Messenger\msmsgs.exe[2816] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 023E0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2816] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 023E0025
.text C:\Program Files\Messenger\msmsgs.exe[2816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 023E000A
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0089
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F9E
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0078
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FB9
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0051
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F79
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00B5
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F32
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F4D
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F21
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FCA
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF001B
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF00A4
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FE5
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0036
.text C:\Program Files\Messenger\msmsgs.exe[2816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F5E
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0056
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD003B
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FD2
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FC1
.text C:\Program Files\Messenger\msmsgs.exe[2816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD000C
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE000A
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FB9
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0040
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE002F
.text C:\Program Files\Messenger\msmsgs.exe[2816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0F9E
.text C:\Program Files\Messenger\msmsgs.exe[2816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FE5
.text C:\Program Files\Messenger\msmsgs.exe[2816] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00FC0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2816] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00FC000A
.text C:\Program Files\Messenger\msmsgs.exe[2816] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00FC001B
.text C:\Program Files\Messenger\msmsgs.exe[2816] WININET.dll!InternetOpenUrlW 771D5B9A 5 Bytes JMP 00FC0FC8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8B1112D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spxx.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spxx.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spxx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spxx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spxx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spxx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spxx.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8ABEE2D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E8048] spxx.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[452] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[452] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B09D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8ABED1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{500B244B-E1DE-4206-A9FF-7C93B7AFD3B5} 88D3C1F8
Device \Driver\usbuhci \Device\USBPDO-1 8ABED1F8
Device \Driver\usbuhci \Device\USBPDO-2 8ABED1F8
Device \Driver\usbuhci \Device\USBPDO-3 8ABED1F8
Device \Driver\usbehci \Device\USBPDO-4 8ABBF500

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8B10F1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8B10F1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Cdrom \Device\CdRom0 8A3041F8
Device \Driver\atapi \Device\Ide\IdePort0 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2b [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B10F1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Cdrom \Device\CdRom1 8A3041F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88D3C1F8
Device \Driver\NetBT \Device\NetbiosSmb 88D3C1F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8ABED1F8
Device \Driver\usbuhci \Device\USBFDO-1 8ABED1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88D33500
Device \Driver\usbuhci \Device\USBFDO-2 8ABED1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88D33500
Device \Driver\usbuhci \Device\USBFDO-3 8ABED1F8
Device \Driver\usbehci \Device\USBFDO-4 8ABBF500
Device \Driver\Ftdisk \Device\FtControl 8B10F1F8
Device \Driver\iteraid \Device\Scsi\iteraid1 8B10E1F8
Device \Driver\SI3132 \Device\Scsi\SI31321 8B09E1F8
Device \FileSystem\Cdfs \Cdfs 897F3500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB21339$\1597177740 0 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003 0 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\bckfg.tmp 957 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\keywords 158 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\L 0 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\L\mhtpvirq 138496 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U 0 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB21339$\3185635003\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 07 January 2012 - 12:44 AM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 07 January 2012 - 04:52 AM

Results of MBR:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-07 00:48:03
-----------------------------
00:48:03.343 OS Version: Windows 5.1.2600 Service Pack 3
00:48:03.343 Number of processors: 2 586 0x403
00:48:03.343 ComputerName: CAROLYN UserName: Carolyn
00:48:04.000 Initialize success
00:59:32.328 AVAST engine defs: 12010700
01:00:40.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18
01:00:40.250 Disk 0 Vendor: WDC_WD2500JD-00HBC0 08.02D08 Size: 238475MB BusType: 3
01:00:40.250 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-20
01:00:40.265 Disk 1 Vendor: WDC_WD10EACS-00D6B1 01.01A01 Size: 953869MB BusType: 3
01:00:40.265 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-2b
01:00:40.265 Disk 2 Vendor: ST3400832AS 3.03 Size: 381554MB BusType: 3
01:00:40.343 Disk 0 MBR read successfully
01:00:40.343 Disk 0 MBR scan
01:00:40.390 Disk 0 Windows XP default MBR code
01:00:40.421 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
01:00:40.468 Disk 0 scanning sectors +488392065
01:00:40.796 Disk 0 scanning C:\WINDOWS\system32\drivers
01:01:43.859 Service scanning
01:01:44.734 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
01:01:45.296 Modules scanning
01:03:25.109 Disk 0 trace - called modules:
01:03:25.156 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spxx.sys hal.dll >>UNKNOWN [0x8b0bf938]<<
01:03:25.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b02fab8]
01:03:25.156 3 CLASSPNP.SYS[f7667fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-18[0x8afd7b00]
01:03:25.671 AVAST engine scan C:\WINDOWS
01:05:17.484 AVAST engine scan C:\WINDOWS\system32
01:12:13.015 AVAST engine scan C:\WINDOWS\system32\drivers
01:13:22.640 AVAST engine scan C:\Documents and Settings\Carolyn
01:19:10.703 AVAST engine scan C:\Documents and Settings\All Users
01:19:10.703 Scan finished successfully
01:25:42.890 Disk 0 MBR has been saved successfully to "I:\Repair Computer virus\MBR.dat"
01:25:42.921 The log file has been saved successfully to "I:\Repair Computer virus\aswMBR.txt"

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 07 January 2012 - 11:53 AM

You may have more serious issues there but let's try one thing, missing "hosts" file.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

======================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 07 January 2012 - 02:35 PM

I get an error "script required" when I try to run SystemLook.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:59 AM

Posted 07 January 2012 - 02:58 PM

That's because you didn't read carefully and you forgot to paste my script.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 07 January 2012 - 03:09 PM

oops! will try again - thanks!

#15 crlin

crlin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 07 January 2012 - 03:20 PM

Results:

SystemLook 30.07.11 by jpshortstuff
Log created at 12:15 on 07/01/2012 by Carolyn
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
host.txt --a---- 711 bytes [19:29 07/01/2012] [19:29 07/01/2012]
hosts.ics --a---- 375 bytes [08:21 26/11/2005] [02:37 27/11/2005]
lmhosts.sam --a---- 3683 bytes [15:02 05/04/2003] [12:00 29/08/2002]
networks --a---- 407 bytes [15:02 05/04/2003] [12:00 29/08/2002]
protocol --a---- 799 bytes [15:02 05/04/2003] [12:00 29/08/2002]
services --a---- 7116 bytes [15:02 05/04/2003] [12:00 29/08/2002]

---Folders---
None found.

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users