Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PING rootkit?


  • This topic is locked This topic is locked
31 replies to this topic

#1 wlopatin

wlopatin

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 13 February 2012 - 11:02 AM

I am helping a friend because they have no clue...and I have some experience with pc's.

Symptoms are:
1. running very slowing, task manager shows 100% cpu but process list does not show what is taking all that cpu
2. getting browser (IE, firefox, chrome) redirects, especially after doing any search. After the search results come up, clicking on any link goes to a different page, sometimes opening another tab, but never to where the link should be pointing.
3. the hd seems to be losing free space fast, now only about 1GB free and no indication of what is taking up all the space.

The computer has McAfee from ATT running all the time and Malware Bytes, runing in the background.

I ran the Sophos anti-rootkit product and it tells me there is a hidden process running, C:\Windows\System32\ping.exe, but does not let me stop or delete it.
I ran GMER and when it starts it immediately pops up a window that says WARNING: GMER has found system modification which might be caused by ROOTKIT activity. I then let it scan the system. Do you need to see the log?

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:45 AM

Posted 13 February 2012 - 12:51 PM

Hello wlopatin and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 13 February 2012 - 02:11 PM

Thank you for replying. I had to leave the infected pc for a few hours but will follow these instruction and post the logs as soon as I can. Sorry about the delay but please continue to help me.
Thanks again

#4 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 13 February 2012 - 10:01 PM

I am sorry for the delay again but I could not get back to the broken computer. I will be there in the morning and will follow your instructions and post the logs then.
Thank you...

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:45 AM

Posted 14 February 2012 - 10:34 AM

Ok, Thanks for letting me know!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 11:53 AM

OK, I think I did what I was supposed to:
below is the paste from DDS and I attached the zip file from attach
I ran GMER, but after 60 minutes it still was not finished so I copied the log at that point.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by office1 at 11:17:57 on 2012-02-14
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.1821 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Printer DCA\PrinterDCA.Service.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\System32\rundll32.exe
C:\Windows\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MozyPro\mozyprostat.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.tbe-sb.org/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070327
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110525223230.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [pdfSaver3]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozypr~1.lnk - c:\program files\mozypro\mozyprostat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5903/mcfscan.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB842F3C-20CC-42EF-957F-2D8A9CF5D545} : DhcpNameServer = 192.168.0.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\office1\appdata\roaming\mozilla\firefox\profiles\upsgl7ck.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://www.tbe-sb.org/|http://www.wvpe.org/index.php#/programs.php
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbc4803&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\users\office1\appdata\roaming\mozilla\firefox\profiles\upsgl7ck.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\office1\appdata\roaming\mozilla\firefox\profiles\upsgl7ck.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-26 387480]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-2-26 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-2-26 165032]
R1 mozyproFilter;mozyproFilter;c:\windows\system32\drivers\mozypro.sys [2011-8-17 54776]
R1 SASDIFSV;SASDIFSV;c:\windows\system32\config\system~1\appdata\local\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\windows\system32\config\system~1\appdata\local\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-4 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-5 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-11-10 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-26 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-26 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-26 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-26 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-26 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-26 141792]
R2 mozyprobackup;MozyPro Backup Service;c:\program files\mozypro\mozyprobackup.exe [2011-8-4 53016]
R2 Printer DCA;Printer DCA;c:\program files\printer dca\PrinterDCA.Service.exe [2011-4-27 87296]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-26 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-26 153280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-26 314088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9c43db31d6019;Google Update Service (gupdate1c9c43db31d6019);c:\program files\google\update\GoogleUpdate.exe [2009-4-23 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-23 133104]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-26 52320]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-26 84488]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-13 21:23:57 10141696 ----a-w- c:\programdata\Tempmozypro-manualupdate-159f7c3a5107c7eb9625d235c1754314.exe
2012-02-10 19:12:00 -------- d-----w- c:\program files\Sophos
2012-02-10 17:11:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-10 16:40:05 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-02-05 15:07:23 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-26 17:45:27 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2012-02-07 20:22:10 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 20:22:10 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 20:22:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-02-07 20:22:09 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-02 15:01:24 0 ----a-w- c:\programdata\Tempmozypro-manualupdate-de3c7660a560e7a5e659d8a4d4e12c87.exe
2012-01-25 13:43:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 08:42:29 0 ----a-w- c:\programdata\Tempmozypro-autoupdate-de3c7660a560e7a5e659d8a4d4e12c87.exe
2011-12-15 13:33:10 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-12-15 13:33:08 30592 ----a-w- c:\windows\system32\LMIport.dll.000.bak
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
2011-11-17 06:48:37 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-11-16 16:23:44 377344 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 16:23:08 72704 ----a-w- c:\windows\system32\secur32.dll
2011-11-16 16:23:05 278528 ----a-w- c:\windows\system32\schannel.dll
2011-11-16 16:21:57 1259008 ----a-w- c:\windows\system32\lsasrv.dll
.
============= FINISH: 11:21:07.57 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-14 11:46:58
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000057 HDS72808 rev.PF2O
Running: 2h4xni6c.exe; Driver: C:\Users\office1\AppData\Local\Temp\pwdiyfod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x830401E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x83040212]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x830401FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x830401D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82673982 5 Bytes JMP 830401D8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82839143 5 Bytes JMP 83040216 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8285889A 7 Bytes JMP 830401EC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82858B5D 5 Bytes JMP 83040202 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E409340, 0x413097, 0xE8000020]
? C:\Users\office1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[392] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 001D0000
.text C:\Windows\System32\svchost.exe[392] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 001D0040
.text C:\Windows\System32\svchost.exe[392] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 001D001B
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00060087
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00060F4B
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 000600C4
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 000600B3
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 0006005B
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00060025
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00060036
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00060076
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00060F81
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00060FB9
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00060F9E
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00060F66
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 000600DF
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[392] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00060098
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00180042
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!system 76CB804B 5 Bytes JMP 00180027
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00180FC8
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!_open 76CBD106 5 Bytes JMP 0018000C
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00180FB7
.text C:\Windows\System32\svchost.exe[392] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00180FE3
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00050F7C
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 0005001E
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00050F8D
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00050F6B
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00050FB9
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00050FD4
.text C:\Windows\System32\svchost.exe[392] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00050FA8
.text C:\Windows\system32\services.exe[640] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 0016000A
.text C:\Windows\system32\services.exe[640] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 0016001B
.text C:\Windows\system32\services.exe[640] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00160FEF
.text C:\Windows\system32\services.exe[640] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 0018007B
.text C:\Windows\system32\services.exe[640] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 0018006A
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 001800AA
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00180F09
.text C:\Windows\system32\services.exe[640] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00180F6B
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00180FCD
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00180014
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00180F49
.text C:\Windows\system32\services.exe[640] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00180F7C
.text C:\Windows\system32\services.exe[640] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00180F8D
.text C:\Windows\system32\services.exe[640] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00180039
.text C:\Windows\system32\services.exe[640] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00180FA8
.text C:\Windows\system32\services.exe[640] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00180F5A
.text C:\Windows\system32\services.exe[640] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00180EF8
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00180FDE
.text C:\Windows\system32\services.exe[640] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00180FEF
.text C:\Windows\system32\services.exe[640] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00180F1A
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00170FB2
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00170040
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00170000
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00170FC3
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00170F8D
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00170FEF
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 0017001B
.text C:\Windows\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00170FD4
.text C:\Windows\system32\services.exe[640] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00190FAB
.text C:\Windows\system32\services.exe[640] msvcrt.dll!system 76CB804B 5 Bytes JMP 00190FBC
.text C:\Windows\system32\services.exe[640] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00190011
.text C:\Windows\system32\services.exe[640] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00190FEF
.text C:\Windows\system32\services.exe[640] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 0019002C
.text C:\Windows\system32\services.exe[640] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00190000
.text C:\Windows\system32\services.exe[640] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00450FEF
.text C:\Windows\system32\services.exe[640] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 00440FEF
.text C:\Windows\system32\services.exe[640] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00440FB9
.text C:\Windows\system32\services.exe[640] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 00440FD4
.text C:\Windows\system32\services.exe[640] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 00440F9E
.text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00190FEF
.text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00190025
.text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00190014
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00920039
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00920EF3
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 00920EB6
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00920ED1
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00920F44
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00920FC3
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00920FB2
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00920F18
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00920F55
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00920F86
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 0092001E
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00920F97
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00920F29
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00920E9B
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00920FD4
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00920FE5
.text C:\Windows\system32\lsass.exe[672] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00920EE2
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00910F86
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00910FB2
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00910FEF
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00910F97
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00910043
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00910FCD
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00910FDE
.text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 0091001E
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wsystem 76CB7F2F 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00930033
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!system 76CB804B 5 Bytes JMP 00930022
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00930000
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00930FE3
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00930011
.text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00930FD2
.text C:\Windows\system32\lsass.exe[672] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00960FEF
.text C:\Windows\system32\lsass.exe[672] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 0095000A
.text C:\Windows\system32\lsass.exe[672] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00950FD4
.text C:\Windows\system32\lsass.exe[672] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 00950FE5
.text C:\Windows\system32\lsass.exe[672] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 0095001B
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 002E0FE5
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 002E0FB9
.text C:\Windows\system32\svchost.exe[856] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 002E0FD4
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00390F4D
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00390F68
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 003900C9
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00390F32
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00390082
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00390FCA
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00390FB9
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00390093
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00390065
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 0039004A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00390FA8
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00390025
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00390F83
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 003900DA
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00390000
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00390FE5
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 003900AE
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 003A0F9C
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!system 76CB804B 5 Bytes JMP 003A0027
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 003A000C
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_open 76CBD106 5 Bytes JMP 003A0FE3
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 003A0FAD
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 003A0FD2
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00300FA8
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00300040
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00300000
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00300FB9
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 0030005B
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00300FCA
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00300FE5
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00300025
.text C:\Windows\system32\svchost.exe[856] WS2_32.dll!socket 77D236D1 5 Bytes JMP 003B000A
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 002D0FD4
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 002D0FE5
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 008A0090
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 008A007F
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 008A0F28
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 008A0F39
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 008A0F68
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 008A0025
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 008A0FCA
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 008A006E
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 008A0F79
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 008A0F94
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 008A0036
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 008A0FB9
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 008A0053
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 008A0F0D
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateFileW 76A7B0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 008A0000
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 008A00AB
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 008B0F9C
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!system 76CB804B 5 Bytes JMP 008B0FAD
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 008B0FD2
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_open 76CBD106 5 Bytes JMP 008B0FE3
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 008B001D
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 002E0058
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 002E002C
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 002E0FE5
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 002E003D
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 002E0069
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 002E0FCA
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 002E001B
.text C:\Windows\system32\svchost.exe[932] WS2_32.dll!socket 77D236D1 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[932] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[932] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 008C0022
.text C:\Windows\system32\svchost.exe[932] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 008C0011
.text C:\Windows\system32\svchost.exe[932] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 008C0FDB
.text C:\Windows\System32\svchost.exe[980] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 0043000A
.text C:\Windows\System32\svchost.exe[980] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00430025
.text C:\Windows\System32\svchost.exe[980] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00430FEF
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00350F4A
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00350090
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 003500D7
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 003500C6
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00350F6F
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00350011
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 0035002C
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 0035007F
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00350F8A
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00350F9B
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00350047
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00350FB6
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 0035006E
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 003500F2
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00350000
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00350FE5
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 003500B5
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00360F9C
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!system 76CB804B 5 Bytes JMP 00360FB7
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00360FD2
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00360FE3
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00360031
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 0036000C
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00340FC3
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00340FDE
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 0034000A
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00340065
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00340076
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00340040
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 0034001B
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00340FEF
.text C:\Windows\System32\svchost.exe[980] WS2_32.dll!socket 77D236D1 5 Bytes JMP 004E0FE5
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 00370FE5
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00370FC3
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 00370FD4
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 00370014
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 015D000A
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 015D0036
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 015D001B
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00DE0F54
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00DE0F6F
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 00DE0F28
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00DE0F39
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00DE0F94
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00DE0FDB
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00DE002C
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00DE00A4
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00DE0FA5
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00DE0047
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00DE0062
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00DE0FC0
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00DE0089
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00DE00D0
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00DE001B
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00DE0000
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00DE00B5
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00DF0FB2
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!system 76CB804B 5 Bytes JMP 00DF0FCD
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00DF0FDE
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00DF0033
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00DF000C
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00D9002C
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00D90FA5
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00D90FE5
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00D90F94
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00D90F6F
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00D90011
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00D90000
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00D90FB6
.text C:\Windows\System32\svchost.exe[1092] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01620FE5
.text C:\Windows\System32\svchost.exe[1092] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 01080FEF
.text C:\Windows\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 01080FC3
.text C:\Windows\System32\svchost.exe[1092] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 01080FDE
.text C:\Windows\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 01080FB2
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00270FEF
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00270014
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00270FDE
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 002500B3
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00250F77
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 002500F3
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 002500E2
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00250FA3
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00250022
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00250033
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00250098
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00250FC0
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00250069
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00250FD1
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00250058
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00250F92
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00250F4B
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00250011
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00250000
.text C:\Windows\System32\svchost.exe[1100] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00250F5C
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00260F97
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!system 76CB804B 5 Bytes JMP 00260FA8
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00260FD7
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00260000
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00260022
.text C:\Windows\System32\svchost.exe[1100] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00260011
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 0020006C
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00200036
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00200FEF
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 0020005B
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00200091
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 0020000A
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00200FD4
.text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 0020001B
.text C:\Windows\System32\svchost.exe[1100] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00280FE5
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 02990FEF
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 02990FC3
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 02990FD4
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory 77C354E4 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!KiUserExceptionDispatcher 77C35C28 5 Bytes JMP 00D9000A
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 02960F2B
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 02960F46
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 02960EDA
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 02960EEB
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 02960F7C
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 02960FD4
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 02960FC3
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 02960F57
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 02960056
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 02960F8D
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 02960039
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 02960FA8
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 02960067
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 02960EBF
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 02960FE5
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 02960000
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 02960F06
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 02970038
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!system 76CB804B 5 Bytes JMP 02970FAD
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 02970FC8
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_open 76CBD106 5 Bytes JMP 02970FE3
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 0297001D
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 0297000C
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 028B0069
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 028B0FDB
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 028B0000
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 028B0058
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 028B0FAC
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 028B0036
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 028B001B
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 028B0047
.text C:\Windows\system32\svchost.exe[1104] WS2_32.dll!socket 77D236D1 5 Bytes JMP 02AB0FEF
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 02980000
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 0298002C
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 02980011
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 0298003D
? C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00240FD4
.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 001E0F55
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 001E0F70
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 001E00C0
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 001E0F1F
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 001E0087
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 001E0025
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 001E0F81
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 001E0076
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 001E0065
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 001E0FC3
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 001E0040
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 001E0F92
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 001E0F0E
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 001E0FE5
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 001E0F30
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 001F005D
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!system 76CB804B 5 Bytes JMP 001F0FC8
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 001F0FE3
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_open 76CBD106 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 001F0038
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 001F001D
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 001D0FA1
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 001D0FC3
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 001D0FB2
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 001D0F90
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 001D0FDE
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 001D0014
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 001D002F
.text C:\Windows\system32\svchost.exe[1220] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00250000
.text C:\Windows\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00A50FEF
.text C:\Windows\system32\svchost.exe[1288] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00A50FD4
.text C:\Windows\system32\svchost.exe[1288] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00A5000A
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00900F35
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 0090007B
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 009000BB
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00900F24
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00900F72
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00900014
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00900FC3
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00900F50
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 0090004A
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00900FA1
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00900039
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00900FB2
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00900F61
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00900F13
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00900FDE
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[1288] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 009000A0
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 0091003B
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!system 76CB804B 5 Bytes JMP 00910020
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00910FC1
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00910FB0
.text C:\Windows\system32\svchost.exe[1288] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00910FD2
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 008F0051
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 008F0025
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 008F0036
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 008F006C
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 008F0014
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 008F0FDE
.text C:\Windows\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 008F0FC3
.text C:\Windows\system32\svchost.exe[1288] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01450000
.text C:\Windows\system32\svchost.exe[1288] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 00920FE5
.text C:\Windows\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00920011
.text C:\Windows\system32\svchost.exe[1288] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1288] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 0092002C
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00A10000
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00A10FD4
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00A10FE5
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00920F57
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00920F68
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 009200D3
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 009200B8
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00920067
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00920025
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00920093
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00920056
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00920FA8
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00920F97
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00920FC3
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00920078
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 009200E4
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00920FD4
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00920F46
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 009F0049
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!system 76CB804B 5 Bytes JMP 009F0FBE
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 009F002E
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_open 76CBD106 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 009F0FD9
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 009F0011
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 0091005B
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00910FD4
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00910FC3
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00910076
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00910025
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00910FE5
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00910040
.text C:\Windows\system32\svchost.exe[1296] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe[1296] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 00A00FEF
.text C:\Windows\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00A00014
.text C:\Windows\system32\svchost.exe[1296] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 00A00FDE
.text C:\Windows\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 00A00025
.text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 009A0000
.text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 009A0FDB
.text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 009A001B
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 0093008E
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00930F52
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 009300CB
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 009300BA
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00930F77
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00930FDE
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 0093002F
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 0093007D
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00930F9E
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 0093004A
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 0093005B
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00930FC3
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 0093006C
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 009300DC
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateFileW 76A7B0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00930FEF
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1496] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 0093009F
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 0094001D
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!system 76CB804B 5 Bytes JMP 00940F9C
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00940FC8
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_open 76CBD106 3 Bytes JMP 00940000
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_open + 4 76CBD10A 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00940FB7
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_wopen 76CBD501 3 Bytes JMP 00940FE3
.text C:\Windows\system32\svchost.exe[1496] msvcrt.dll!_wopen + 4 76CBD505 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 008F0054
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 008F0FB2
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 008F0FE5
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 008F0039
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 008F006F
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 008F000A
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 008F0FD4
.text C:\Windows\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 008F0FC3
.text C:\Windows\system32\svchost.exe[1496] WS2_32.dll!socket 77D236D1 5 Bytes JMP 009B0FEF
.text C:\Windows\system32\svchost.exe[1496] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 00990FEF
.text C:\Windows\system32\svchost.exe[1496] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 00990025
.text C:\Windows\system32\svchost.exe[1496] WININET.dll!InternetOpenW 76F6C126 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1496] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 00990FD4
.text C:\Windows\System32\svchost.exe[1952] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00300FEF
.text C:\Windows\System32\svchost.exe[1952] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00300FB9
.text C:\Windows\System32\svchost.exe[1952] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00300FD4
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 002D0095
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 002D0F4F
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 002D0F20
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 002D00C1
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 002D0058
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 002D0FC3
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 002D000A
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 002D007A
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 002D0047
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 002D0F8A
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 002D0036
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 002D001B
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 002D0069
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 002D00DC
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 002D0FD4
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 002D0FEF
.text C:\Windows\System32\svchost.exe[1952] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 002D00B0
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 002F0075
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!system 76CB804B 5 Bytes JMP 002F005A
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 002F0038
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!_open 76CBD106 5 Bytes JMP 002F0000
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 002F0049
.text C:\Windows\System32\svchost.exe[1952] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 002F001D
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 002C0FA5
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 002C0036
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 002C0FEF
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 002C0047
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 002C0062
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 002C0FD4
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 002C000A
.text C:\Windows\System32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 002C0025
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2272] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 6FE49AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2272] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 6FE49A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[2940] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00050000
.text C:\Windows\Explorer.EXE[2940] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00050022
.text C:\Windows\Explorer.EXE[2940] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00050011
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00010F35
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00010F5A
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 000100A0
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00010F13
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00010F97
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00010040
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00010F6B
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00010FA8
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00010FC3
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 00010065
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00010F86
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00010EEE
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 0001001B
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[2940] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00010F24
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00060036
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 0006001B
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00060F94
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00060047
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00060FCA
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00060FE5
.text C:\Windows\Explorer.EXE[2940] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00060FAF
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00070F9C
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!system 76CB804B 5 Bytes JMP 00070FAD
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 0007000C
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00070027
.text C:\Windows\Explorer.EXE[2940] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00070FD2
.text C:\Windows\Explorer.EXE[2940] WS2_32.dll!socket 77D236D1 5 Bytes JMP 01860000
.text C:\Windows\Explorer.EXE[2940] WININET.dll!InternetOpenA 76F34E3C 5 Bytes JMP 04820FEF
.text C:\Windows\Explorer.EXE[2940] WININET.dll!InternetOpenUrlA 76F3BFDE 5 Bytes JMP 04820FD4
.text C:\Windows\Explorer.EXE[2940] WININET.dll!InternetOpenW 76F6C126 3 Bytes JMP 0482000A
.text C:\Windows\Explorer.EXE[2940] WININET.dll!InternetOpenW + 4 76F6C12A 1 Byte [8D]
.text C:\Windows\Explorer.EXE[2940] WININET.dll!InternetOpenUrlW 76F9D8D2 5 Bytes JMP 04820FC3
.text C:\Windows\system32\svchost.exe[4744] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00040000
.text C:\Windows\system32\svchost.exe[4744] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00040025
.text C:\Windows\system32\svchost.exe[4744] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00040FEF
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00010F61
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 0001009D
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 00010F35
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00010F50
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00010067
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00010082
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00010056
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 0001001E
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 0001002F
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 00010F8D
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00010F1A
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[4744] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 000100C2
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00060FB9
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!system 76CB804B 5 Bytes JMP 00060044
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00060022
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00060033
.text C:\Windows\system32\svchost.exe[4744] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00060FDE
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegCreateKeyExA 766339AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 0007003D
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00070FC0
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00070FDB
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[4744] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 0007002C
.text C:\Windows\system32\svchost.exe[4744] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00080FEF
.text C:\Windows\system32\wuauclt.exe[5764] ntdll.dll!NtCreateFile 77C34244 5 Bytes JMP 00040000
.text C:\Windows\system32\wuauclt.exe[5764] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 00040025
.text C:\Windows\system32\wuauclt.exe[5764] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!GetStartupInfoW 76A31929 5 Bytes JMP 00010F28
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!GetStartupInfoA 76A319C9 5 Bytes JMP 00010F39
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateProcessW 76A31BF3 5 Bytes JMP 000100B8
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateProcessA 76A31C28 5 Bytes JMP 00010093
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!VirtualProtect 76A31DC3 5 Bytes JMP 00010F80
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateNamedPipeA 76A32EF5 5 Bytes JMP 00010FE5
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateNamedPipeW 76A35C0C 5 Bytes JMP 0001002C
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreatePipe 76A58F06 5 Bytes JMP 00010F5E
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!LoadLibraryExW 76A5927C 5 Bytes JMP 00010F91
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!LoadLibraryW 76A59400 5 Bytes JMP 00010FAC
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!LoadLibraryExA 76A59554 5 Bytes JMP 0001004E
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!LoadLibraryA 76A5957C 5 Bytes JMP 0001003D
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!VirtualProtectEx 76A5DC52 5 Bytes JMP 00010F6F
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!GetProcAddress 76A7925B 5 Bytes JMP 00010EFC
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateFileW 76A7B0EB 5 Bytes JMP 0001001B
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!CreateFileA 76A7D07F 5 Bytes JMP 00010000
.text C:\Windows\system32\wuauclt.exe[5764] kernel32.dll!WinExec 76AC60CF 5 Bytes JMP 00010F17
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00070066
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!system 76CB804B 5 Bytes JMP 00070FE5
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 0007003A
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00070000
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00070055
.text C:\Windows\system32\wuauclt.exe[5764] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 0007001D
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00080F94
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00080FCA
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 0008000A
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00080FAF
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 0008005B
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 0008001B
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00080FEF
.text C:\Windows\system32\wuauclt.exe[5764] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00080036
.text C:\Windows\system32\wuauclt.exe[5764] WS2_32.dll!socket 77D236D1 5 Bytes JMP 00140000
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 01BA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ntdll.dll!NtWriteVirtualMemory 77C354E4 5 Bytes JMP 01BB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ntdll.dll!KiUserExceptionDispatcher 77C35C28 5 Bytes JMP 01B9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 00050FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 00050039
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 0005000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 0005004A
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00050F97
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00050FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 00050FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00050FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!EnableWindow 76DECD8B 5 Bytes JMP 71569A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!DialogBoxParamW 76E110B0 5 Bytes JMP 714C170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!DialogBoxIndirectParamW 76E12EF5 5 Bytes JMP 716B62BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!DialogBoxParamA 76E28152 5 Bytes JMP 716B6259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!DialogBoxIndirectParamA 76E2847D 5 Bytes JMP 716B6323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!MessageBoxIndirectA 76E3D4D9 5 Bytes JMP 716B61E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!MessageBoxIndirectW 76E3D5D3 5 Bytes JMP 716B6167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!MessageBoxExA 76E3D639 5 Bytes JMP 716B6103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] USER32.dll!MessageBoxExW 76E3D65D 5 Bytes JMP 716B609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00060FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!system 76CB804B 5 Bytes JMP 00060055
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00060029
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00060FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00060044
.text C:\Program Files\Internet Explorer\iexplore.exe[7476] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 00060018
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 0303000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ntdll.dll!NtWriteVirtualMemory 77C354E4 5 Bytes JMP 0318000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ntdll.dll!KiUserExceptionDispatcher 77C35C28 5 Bytes JMP 0301000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegCreateKeyExA 766339AB 5 Bytes JMP 0005006F
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegCreateKeyA 76633BA9 5 Bytes JMP 0005004A
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegOpenKeyA 766389C7 5 Bytes JMP 00050000
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegCreateKeyW 7664391E 5 Bytes JMP 00050FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegCreateKeyExW 766441F1 5 Bytes JMP 00050FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegOpenKeyExA 76647C42 5 Bytes JMP 00050FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegOpenKeyW 7664E2B5 5 Bytes JMP 0005001B
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ADVAPI32.dll!RegOpenKeyExW 76657BA1 5 Bytes JMP 00050FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!SetWindowsHookExW 76DE87AD 5 Bytes JMP 71562194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!CallNextHookEx 76DE8E3B 5 Bytes JMP 71587BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!UnhookWindowsHookEx 76DE98DB 5 Bytes JMP 715AEB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!EnableWindow 76DECD8B 5 Bytes JMP 71569A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DefWindowProcA 76DEDB88 7 Bytes JMP 7152952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!CreateWindowExA 76DEDC2A 5 Bytes JMP 71533363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!CreateWindowExW 76DF1305 5 Bytes JMP 7158FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DefWindowProcW 76E003B4 7 Bytes JMP 71587C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DialogBoxParamW 76E110B0 5 Bytes JMP 714C170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DialogBoxIndirectParamW 76E12EF5 5 Bytes JMP 716B62BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DialogBoxParamA 76E28152 5 Bytes JMP 716B6259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!DialogBoxIndirectParamA 76E2847D 5 Bytes JMP 716B6323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!MessageBoxIndirectA 76E3D4D9 5 Bytes JMP 716B61E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!MessageBoxIndirectW 76E3D5D3 5 Bytes JMP 716B6167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!MessageBoxExA 76E3D639 5 Bytes JMP 716B6103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] USER32.dll!MessageBoxExW 76E3D65D 5 Bytes JMP 716B609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!_wsystem 76CB7F2F 5 Bytes JMP 00060F8B
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!system 76CB804B 5 Bytes JMP 00060F9C
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!_creat 76CBBBE1 5 Bytes JMP 00060FC8
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!_open 76CBD106 5 Bytes JMP 00060FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!_wcreat 76CBD326 5 Bytes JMP 00060FB7
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] msvcrt.dll!_wopen 76CBD501 5 Bytes JMP 0006000C
.text C:\Program Files\Internet Explorer\iexplore.exe[7604] ole32.dll!OleLoadFromStream 76B31E80 5 Bytes JMP 716B6A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!NtCreateProcess 77C34304 5 Bytes JMP 008D000A
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!NtCreateProcessEx 77C34314 5 Bytes JMP 008E000A
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!NtProtectVirtualMemory 77C34BA4 5 Bytes JMP 001D000A
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!NtWriteVirtualMemory 77C354E4 5 Bytes JMP 0022000A
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!NtCreateUserProcess 77C35674 5 Bytes JMP 0093000A
.text C:\Windows\System32\ping.exe[7632] ntdll.dll!KiUserExceptionDispatcher 77C35C28 5 Bytes JMP 001C000A
.text C:\Windows\System32\ping.exe[7632] USER32.dll!WindowFromPoint 76DE884F 5 Bytes JMP 009C000A
.text C:\Windows\System32\ping.exe[7632] USER32.dll!GetForegroundWindow 76DF32C4 5 Bytes JMP 009D000A
.text C:\Windows\System32\ping.exe[7632] USER32.dll!GetCursorPos 76E00B88 5 Bytes JMP 0097000A
.text C:\Windows\System32\ping.exe[7632] ole32.dll!CoCreateInstance 76B69F3E 5 Bytes JMP 0096000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mozypro.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat mozypro.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Processes - GMER 1.0.15 ----

Process C:\Windows\System32\ping.exe (*** hidden *** ) 7632

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\mozyproFilter@LogFile \??\C:\Program Files\MozyPro\Data\filter_raw.log.1

Attached Files



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:45 AM

Posted 14 February 2012 - 12:03 PM

Hello wlopatin ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.


Things to include in your next reply::
Tdsskiller log
Combofix .txt
Results.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 12:29 PM

I am using a second computer for this writing.
I ran the tdsskiller and saved the log. Now it is running combofix that I downloaded from the above link. A box opened and showed files extracting and then it closed. Now the computer seems to be just quiet, nothing showing, no hourglass, etc. Is this normal? Should I open the task manager to see what is going on. I won't touch that computer until instructed.
Thanks.

#9 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 12:38 PM

Just reread the instructions and forgot to turn off the McAfee before running combofix. Now I will do that and restart combofix

#10 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 12:47 PM

OK, a window warning opened up:
ComboFix has detected the following real time scanners to be active
antivirus: AVG Anti-Virus Free
antispyware: AVE Anti-Virus Free

Please disable before clicking OK.


We removed this free software over a year ago. I don't see it running so I don't know how to stop it. Can you tell me what process(es) to stop before continuing?

Thanks.

#11 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 12:53 PM

Now I have another error message:

This application has requested the Runtime to terminate it in an unusual way.
Please contact the spplication support team for more information


Now what???

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:45 AM

Posted 14 February 2012 - 04:31 PM

Hello,


1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply


2.
Please run Combofix again this time in SAFEMODE with Networking ignore any warnings of AVG on the machine and choose to let it run anyway.


Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 14 February 2012 - 04:51 PM

gave up for today; had to go home.
I will be there again in the morning and will try as you suggest
sorry for the delay.

#14 wlopatin

wlopatin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 15 February 2012 - 09:32 AM

OK, got here this morning and it appears the combofix continued yesterday on its own after I tried to close it with the error message mentioned above. This morning it looks like the computer is FIXED. GMER no longer says a rootkit is present, the CPU is not running at 100% all the time, the hidden PING process is not running, and there are NO web redirects.

The only problem I still see is that there is very little HD space and I cannot find any large files or folders to delete or copy to external drive. Any ideas of how to recover HD space? or should I run anything else.

Thanks again for all the help.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:45 AM

Posted 15 February 2012 - 11:18 AM

Hello,

Is there a Combofix log? It should be located at C:\Combofix.txt

If not try and run Combofix again in Normal mode

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users