Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check


  • This topic is locked This topic is locked
17 replies to this topic

#1 stmach

stmach

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 24 March 2012 - 11:19 AM

Hello,

I want to make sure this temporary (older) XP Pro SP3 computer is clean from rootkits or other viruses. I do not know this pc. It was retired and not mine.

I had scanned it with McAfee, MS Malicious SW Tool, SpyBot which showed clean. I also used RKill and TDSSKiller (which shows unsigned drivers). I've downloaded malwarebytes to do a scan also.

I now see I named my thread after a virus. The title does not mean I have the 'System Check' virus.



--------------

(--) Days after I had been using it, two viruses were intercepted. One by McAfee when scanning a portable hd and the other by SpyBot when downloading/re-installing Google Chrome.

(--) I scanned with TDSSKiller which reports drivers as unsigned. ATI video and the network adaptor. Initially 2 drivers. Now 4 (maybe after the driver reinstall).

(--) There have been 3 blue screens. The first I believe was the first time I downloaded TDSSKiller (many Google tabs open). The second, was when Google was loading many open tabs (the computer is slow to open them). The last occurred when running GMER. The system reboots too soon to see the message but I was able to see that one as an IRQL.

(--) The system has become unstable a couple times (extremely slow, had to cut power). I don't recall what I was doing. I think once a McAfee scan was finishing up.

(--) I have also been getting Shockwave Flash crashes. Maybe too many pages open in Chrome?

(--) TDSSKiller started with 2 suspisious files (ati2mtag.sys & EL2K_XP.sys). When I restored to an earlier point (possibly after the driver reinstall after quar/deleting the 2 files and resulting hardware malfunction), it now shows 4 suspicious files. Online info appears to show they are part of the driver set.

ati2evxx.exe ATI Hotkey Poller (newest flag by TDSS)
ati2sgag.exe ATI Smart (newest flag by TDSS)
ati2mtag.sys

EL2K_XP.sys EL2000

(--) I had some trouble running GMER. It stalled a couple times. Stopped real time scanning with SpyBot's TeaTimer. Still stalled. Then stopped McAfee real time. It went through. I'm not sure if it scanned all of the directories though as it had seemed to the first run that hung.

--------------


Did defogger first. Here are the logs.

Please advise if anything looks off.

Thanks.

ST



____________________________________________

DDS Logs
____________________________________________

--------------------
dds.txt
--------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Stephanie at 2:23:50 on 2012-03-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1265 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stephanie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120309063413.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\stephanie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267733333343
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6D89741A-A76E-44E6-9637-282CC2ED07EC} : DhcpNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\stephanie\application data\mozilla\firefox\profiles\yo3h13ti.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\stephanie\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-12-12 77312]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-3-7 89792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-3-7 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-3-7 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-3-7 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-3-7 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-3-7 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-3-7 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-3-7 150856]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-3-7 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-3-7 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-3-7 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-3-7 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-3-7 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-3-7 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-3-7 87656]
.
=============== Created Last 30 ================
.
2012-03-23 20:38:28 147328 ----a-w- c:\windows\system32\drivers\EL2K_XP.sys
2012-03-23 20:36:41 4407808 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-03-23 20:29:19 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-23 20:29:19 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-23 20:28:55 -------- d-----w- C:\5b9e4a53d8d8cdd41d08c98c
2012-03-22 18:17:10 -------- d-----w- c:\program files\Spybot
2012-03-22 18:17:10 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-20 20:35:34 -------- d-----w- c:\documents and settings\stephanie\local settings\application data\visi_coupon
2012-03-20 20:32:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-09 12:38:36 -------- d-----w- c:\windows\system32\LogFiles
2012-03-09 11:34:13 28760 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-03-08 20:52:12 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-03-08 20:51:11 -------- d-----w- C:\iolo
2012-03-08 20:50:21 -------- d-----w- c:\documents and settings\stephanie\application data\iolo
2012-03-08 20:50:21 -------- d-----w- c:\documents and settings\all users\application data\iolo
2012-03-08 18:28:33 -------- d-----w- c:\documents and settings\stephanie\local settings\application data\Google
2012-03-08 15:37:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-03-08 15:37:18 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2012-03-08 15:37:18 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-03-08 15:37:18 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-03-08 15:37:18 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-03-08 15:37:18 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-03-08 15:37:18 1911768 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2012-03-08 15:37:17 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2012-03-08 15:37:17 437208 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2012-03-08 15:37:17 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2012-03-08 15:37:16 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-03-08 15:37:16 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2012-03-07 22:51:35 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-03-07 22:51:32 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-03-07 22:51:32 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-07 22:51:32 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-03-07 22:51:32 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-03-07 22:51:32 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-03-07 22:51:32 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-03-07 22:51:32 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-07 22:51:28 -------- d-----w- c:\program files\common files\Mcafee
2012-03-07 22:51:26 -------- d-----w- c:\program files\McAfee.com
2012-03-07 22:51:13 -------- d-----w- c:\program files\McAfee
2012-03-07 22:46:03 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-07 22:46:03 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-07 22:44:18 150856 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-05 17:32:45 -------- d-sh--w- c:\documents and settings\stephanie\IECompatCache
2012-03-05 15:50:57 -------- d-----w- c:\windows\system32\appmgmt
.
==================== Find3M ====================
.
2012-02-08 20:51:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 2:25:13.12 ===============



--------------------
Attach.txt
--------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/4/2010 12:50:40 PM
System Uptime: 3/24/2012 2:07:09 AM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A7V600
Processor: AMD Athlon™ MP 1700+ | SOCKET A | 1094/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 93 GiB total, 79.561 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_80B01043&REV_60\3&61AAA01&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_80B01043&REV_60\3&61AAA01&0&8D
Service:
.
==== System Restore Points ===================
.
RP388: 12/27/2011 10:30:56 AM - System Checkpoint
RP389: 12/28/2011 10:47:41 AM - System Checkpoint
RP390: 12/29/2011 11:47:41 AM - System Checkpoint
RP391: 1/3/2012 8:18:00 AM - System Checkpoint
RP392: 1/4/2012 8:39:18 AM - System Checkpoint
RP393: 1/5/2012 9:39:21 AM - System Checkpoint
RP394: 1/6/2012 11:00:27 AM - System Checkpoint
RP395: 2/8/2012 4:24:48 PM - Software Distribution Service 3.0
RP396: 3/5/2012 9:58:09 AM - System Checkpoint
RP397: 3/5/2012 10:50:53 AM - Removed Bonjour
RP398: 3/5/2012 10:52:21 AM - Removed iTunes
RP399: 3/5/2012 10:54:36 AM - Removed Apple Application Support
RP400: 3/5/2012 10:56:59 AM - Removed Apple Mobile Device Support
RP401: 3/5/2012 10:57:28 AM - Removed Apple Software Update
RP402: 3/5/2012 10:58:28 AM - Removed ESET NOD32 Antivirus
RP403: 3/5/2012 11:03:04 AM - Removed QuickTime
RP404: 3/5/2012 11:05:15 AM - Removed QuickBooks.
RP405: 3/5/2012 11:22:19 AM - Removed Safari
RP406: 3/5/2012 11:22:54 AM - Removed MobileMe Control Panel
RP407: 3/6/2012 11:32:09 AM - Removed Microsoft Office Ultimate 2007
RP408: 3/7/2012 11:18:38 PM - System Checkpoint
RP409: 3/8/2012 3:00:24 AM - Software Distribution Service 3.0
RP410: 3/9/2012 12:45:40 PM - System Checkpoint
RP411: 3/10/2012 1:21:04 PM - System Checkpoint
RP412: 3/12/2012 2:29:31 AM - System Checkpoint
RP413: 3/13/2012 8:20:51 AM - System Checkpoint
RP414: 3/14/2012 9:51:26 AM - System Checkpoint
RP415: 3/14/2012 2:37:08 PM - Software Distribution Service 3.0
RP416: 3/15/2012 1:25:22 AM - Software Distribution Service 3.0
RP417: 3/19/2012 11:19:31 PM - System Checkpoint
RP418: 3/20/2012 11:37:19 PM - System Checkpoint
RP419: 3/21/2012 5:06:16 PM - Restore Operation
RP420: 3/21/2012 6:13:43 PM - Unsigned driver install
RP421: 3/21/2012 6:18:58 PM - Update to an unsigned driver
RP422: 3/21/2012 6:25:16 PM - Update to an unsigned driver
RP423: 3/21/2012 6:32:22 PM - Restore Operation
RP424: 3/21/2012 6:37:33 PM - Software Distribution Service 3.0
RP425: 3/21/2012 10:55:21 PM - Restore Operation
RP426: 3/22/2012 12:56:25 AM - Software Distribution Service 3.0
RP427: 3/23/2012 12:30:33 PM - System Checkpoint
RP428: 3/23/2012 4:25:45 PM - Restore Operation
RP429: 3/23/2012 5:39:13 PM - Unsigned driver install
RP430: 3/23/2012 5:52:07 PM - Unsigned driver install
RP431: 3/23/2012 5:53:18 PM - Update to an unsigned driver
RP432: 3/23/2012 6:56:24 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
McAfee Internet Security
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office File Validation Add-In
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
Mozilla Firefox 10.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OGA Notifier 2.0.0048.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skins
Spybot - Search & Destroy
SupportSoft Assisted Service
The Lord of the Rings FREE Trial
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Visual Studio 2005 Tools for Office Second Edition Runtime
VMware Remote Console Plug-in
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows XP Service Pack 3
XPS Essentials Pack
XPS Essentials Pack 1.0
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
3/24/2012 2:08:45 AM, error: System Error [1003] - Error code 100000d1, parameter1 b58048c8, parameter2 00000002, parameter3 00000001, parameter4 f7470db8.

3/23/2012 9:03:41 PM, error: viasraid [9] - The device, \Device\Scsi\viasraid1, did not respond within the timeout period.

3/23/2012 5:24:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

3/23/2012 4:34:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/23/2012 4:32:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips

3/23/2012 4:25:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}

3/22/2012 5:35:46 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort1.

3/22/2012 5:28:22 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

3/21/2012 4:07:17 PM, error: System Error [1003] - Error code 10000050, parameter1 e3aba020, parameter2 00000000, parameter3 bf82ec82, parameter4 00000001.

3/21/2012 11:32:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/21/2012 11:31:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

3/21/2012 11:31:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

3/21/2012 11:31:36 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2012 11:31:36 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2012 11:31:36 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2012 11:31:36 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2012 11:30:05 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

3/21/2012 11:29:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/21/2012 10:53:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfehidk

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

3/21/2012 10:53:32 PM, error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================



____________________________________________
GMER log
____________________________________________


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-24 04:35:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\viasraid1Port2Path0Target0Lun0 Maxtor_6 rev.BANC
Running: b3cjc5xg.exe; Driver: C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\pwtdapod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF78684C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF78684D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7868500]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7868556]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF78684AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7868484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7868498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF78684EA]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF786852C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7868516]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7868580]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF786856C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7868540]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB94B9000, 0x230C27, 0xE8000020]

? C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090007F
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900064
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F8A
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F9B
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000A1
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F59
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F1C
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F37
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F01
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0090003D
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900090
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900FC0
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F48
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FCD
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070054
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070039
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FB7
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC8
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060042
.text C:\WINDOWS\system32\services.exe[1076] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\lsass.exe[1096] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\lsass.exe[1096] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\lsass.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F48
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA007F
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F2D
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EF0
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F0B
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0ED5
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F1C
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\lsass.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60F9E
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60029
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\lsass.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\lsass.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F52
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F63
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F8A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80073
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F2B
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80EFF
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E8008E
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80EE4
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FAF
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80F10
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70F79
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70F8A
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E6006E
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60FE3
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60038
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60049
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E6001D
.text C:\WINDOWS\system32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F5E
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F6F
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0053
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F15
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F32
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0093
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0EFA
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0EDF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F8A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F43
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0078
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0039
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B9004E
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90FCD
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B9003D
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01560FEF
.text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0156001B
.text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01560000
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 032A000A
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 032A0F7E
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 032A0F99
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 032A0073
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 032A0062
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 032A0FD4
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 032A0F4B
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 032A0F5C
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032A0F26
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032A00BF
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 032A00D0
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 032A0051
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 032A001B
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 032A0F6D
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 032A0FEF
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 032A0036
.text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 032A00AE
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02CF0FCD
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02CF0080
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02CF0014
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02CF0FDE
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02CF0065
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02CF0054
.text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02CF002F
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CE0042
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CE0FB7
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CE0027
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CE0FD2
.text C:\WINDOWS\System32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CE000C
.text C:\WINDOWS\System32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028E000A
.text C:\WINDOWS\System32\svchost.exe[1436] WININET.dll!InternetOpenA 3D95D6B8 5 Bytes JMP 028D0FEF
.text C:\WINDOWS\System32\svchost.exe[1436] WININET.dll!InternetOpenW 3D95DB31 5 Bytes JMP 028D0FDE
.text C:\WINDOWS\System32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 3D95F3CC 5 Bytes JMP 028D0FCD
.text C:\WINDOWS\System32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 3D9A6DF7 5 Bytes JMP 028D0FB2
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D0022
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D0011
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00710F61
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00710056
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0071002F
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00710F72
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00710FA8
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00710F33
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0071007B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00710F00
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00710F11
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00710EEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00710F97
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00710FCA
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00710F50
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00710014
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00710FB9
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00710F22
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700FC0
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0070004E
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0070001B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700F9B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00700FE5
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0070003D
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0070002C
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F004E
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F000C
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0033
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F41
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F5C
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60F79
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60F8A
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B6002C
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F13
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B6006C
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60EDD
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B60EAE
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60FA5
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F30
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60EF8
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50073
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FDB
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50058
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B50FB6

.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D5, 88] {AAD 0x88}

.text C:\WINDOWS\system32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B5003D
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B4004E
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40033
.text C:\WINDOWS\system32\svchost.exe[1616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1616] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01840000
.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0184002C
.text C:\WINDOWS\Explorer.EXE[1828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01840011
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01EA0FEF
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01EA0FB0
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01EA009B
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01EA008A
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01EA006F
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01EA0054
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01EA00D6
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01EA0F84
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01EA0F58
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01EA00E7
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01EA0F47
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01EA0FCD
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01EA0FDE
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01EA0F95
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01EA002F
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01EA001E
.text C:\WINDOWS\Explorer.EXE[1828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01EA0F73
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01E3002F
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01E30FB2
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01E30FDE
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01E30014
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01E30FC3
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01E30FEF
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01E30065
.text C:\WINDOWS\Explorer.EXE[1828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01E30054
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E2005B
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E20036
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E2000A
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E20FEF
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E2001B
.text C:\WINDOWS\Explorer.EXE[1828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E20FC6
.text C:\WINDOWS\Explorer.EXE[1828] WININET.dll!InternetOpenA 3D95D6B8 5 Bytes JMP 01850FE5
.text C:\WINDOWS\Explorer.EXE[1828] WININET.dll!InternetOpenW 3D95DB31 5 Bytes JMP 01850000
.text C:\WINDOWS\Explorer.EXE[1828] WININET.dll!InternetOpenUrlA 3D95F3CC 5 Bytes JMP 01850025
.text C:\WINDOWS\Explorer.EXE[1828] WININET.dll!InternetOpenUrlW 3D9A6DF7 5 Bytes JMP 01850036
.text C:\WINDOWS\Explorer.EXE[1828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01860FEF
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090011
.text C:\WINDOWS\System32\svchost.exe[1856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FDB
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0082
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F97
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0071
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0040
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00D5
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00C4
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00E6
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F4D
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F28
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00A7
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B002F
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[1856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F68
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F61
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F7C
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F97
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[1856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0FAB
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FBC
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0011
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0022
.text C:\WINDOWS\System32\svchost.exe[1856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FD7
.text C:\WINDOWS\System32\svchost.exe[1856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00880FE5
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00880FAF
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00880FCA
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B30F75
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B30F86
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B30F97
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B3004A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30F49
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B30085
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B30F0C
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B30F27
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B300C0
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B3002F
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30F5A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30FB9
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B30F38
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FB6
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20F6F
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B20011
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20FDB
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B2002C
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B20F80
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D2, 88]
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B20F9B
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008B0038
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!system 77C293C7 5 Bytes JMP 008B0FA3
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008B0FD2
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008B001D
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenA 3D95D6B8 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenW 3D95DB31 5 Bytes JMP 00890FE5
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlA 3D95F3CC 5 Bytes JMP 00890FCA
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlW 3D9A6DF7 5 Bytes JMP 0089001B
.text C:\WINDOWS\system32\svchost.exe[1952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A0000
.text C:\Program Files\Messenger\msmsgs.exe[2308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0FE5
.text C:\Program Files\Messenger\msmsgs.exe[2308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0000
.text C:\Program Files\Messenger\msmsgs.exe[2308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0000
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0F5E
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F79
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0F8A
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FA5
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0FD1
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F26
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F37
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0EFA
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0093
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF0EE9
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0FB6
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF001B
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF006E
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF003D
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF002C
.text C:\Program Files\Messenger\msmsgs.exe[2308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0F15
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED006B
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED005A
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED002E
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED000C
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0049
.text C:\Program Files\Messenger\msmsgs.exe[2308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED001D
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FA5
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0F6F
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0000
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FCA
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0022
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EE0F8A
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0E, 89]
.text C:\Program Files\Messenger\msmsgs.exe[2308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0011
.text C:\Program Files\Messenger\msmsgs.exe[2308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0000
.text C:\Program Files\Messenger\msmsgs.exe[2308] WININET.dll!InternetOpenA 3D95D6B8 5 Bytes JMP 00EB000A
.text C:\Program Files\Messenger\msmsgs.exe[2308] WININET.dll!InternetOpenW 3D95DB31 5 Bytes JMP 00EB0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2308] WININET.dll!InternetOpenUrlA 3D95F3CC 5 Bytes JMP 00EB001B
.text C:\Program Files\Messenger\msmsgs.exe[2308] WININET.dll!InternetOpenUrlW 3D9A6DF7 5 Bytes JMP 00EB0040

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[280] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT C:\WINDOWS\system32\mfevtps.exe[280] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by stmach, 25 March 2012 - 10:50 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 25 March 2012 - 12:26 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 March 2012 - 11:00 AM

Hello Gringo :)

Thanks for your prompt response. I removed the logs from my initial post (thought that was wrong per Prep) and have inserted them again above.

I have not run any other tools but did change some settings. I hope that's not a problem. I tried to keep notes on things.

--------------------

AutoPlay - disabled it

Internet Security - set to High

Windows Startup & Recovery - Changed to: Auto Restart OFF, full dump no overwrite, time to display recovery options increased, page file allocation amount increased

Google Chrome Plugins - Disabled Chrome's internal installation of Flash (conflict with pc installation can cause the crashing)

Google Chrome Plugins - Disabled Remoting Viewer plugin

Good Chrome Plugins - Accidentally hit 'Update' for McAfee's Site Advisor extension. Not sure if it did anything.

---------------

If you want me to run the logs again before starting, please advise.

Thank you,

ST


P.S.

* I see you want me to run ComboFix. I am to disable all AV protection -- leaving the Windows firewall up -- however connect to the internet unprotected if it requests the XP recovery option? CF will protect from attacks during that? I should not disconnect from the net (pull plug) after it seems to have completed the recovery option? Let CF continue while still connected? I plan to pull the internet cable before beginning CF and plug it back in if it asks for the recovery console. Is that alright?

* How long should ComboFix take to run?

* Am I allowed to use the computer for anything else during the period of time we are working on cleaning the system as long as I don't run any tools? I realize not to do anything while a tool is running :)

.

Edited by stmach, 25 March 2012 - 11:12 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 25 March 2012 - 12:09 PM

Hello

leave it connected to the internet while combofix is running - combofix will disconnect the internet when it is no longer needed as it is running



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 March 2012 - 12:29 PM

ok. I will disable McAfee, leave Windows firewall up, and run ComboFix while connected to the net.

Thanks.

#6 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 March 2012 - 12:35 PM

I am reading to disable Windows firewall. All protection down. CF will safeguard with the internet connection active? Can I unplug but plug in only if it asks to do the recovery setup or will that interefere with operations?

Edited by stmach, 25 March 2012 - 01:20 PM.


#7 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 March 2012 - 04:07 PM

dupl post

Edited by stmach, 25 March 2012 - 04:16 PM.


#8 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 March 2012 - 04:09 PM

I realize another aspect to this after reading someone else's thread.

I have an external MyBook drive that had been attached to an infected computer (rootkit/backdoor, I believe, not fixed yet). That computer was cleaned of some trojans with SuperAntiSpyware and Malwarebytes (with RKill having been run) but turned out it was still infected with the more malicious culprit. Right afterwards the system got worse. At the time the system was cleaned, I was told the MyBook had been clean on its scan ... but it seems that particular malware program on the host is elusive and does not show up.

I had attached the MyBook to this computer to view its contents and to scan it with additional programs to ensure it was clean because I need some files from it. When I did that, autoplay took off. I cancelled it but did not really see what had happened already. My understanding is that the autoplay feature resides on the external media and can transmit a virus. So possibly this system could have been exposed to that virus if it is actually on the MyBook?

I need to have the MyBook thoroughly checked/cleaned before pulling files. So I'm wondering if you would want to proceed with this pc separately, as we are, and do the MyBook later from a clean pc as originally planned? Sounds good to me. Or include it in this cleanup. It is a very full drive and took 12 hours to scan on this old pc, with MS Malicious Software Removal Tool (the only scan I ran on it, last week). If it's cleaned later, can this computer become infected by accessing it? Can browsing its file system contaminate a pc? Or copying files off of it -- which I need to do? I looked through the directories already from this pc, and autoplay had launched.

.

Edited by stmach, 25 March 2012 - 04:19 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 25 March 2012 - 08:21 PM

Hello


do this to turn off auto play for the harddrive and lets leave it pluged in for now

http://www.question-defense.com/2009/11/14/windows-xp-turn-off-auto-play-for-external-usb-hard-drive

run combofix when you are ready


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 26 March 2012 - 01:29 AM

Hi Gringo,

I will run ComboFix today. I'm still concerned about being on the net without firewall/AV. I'll start in an unplugged state and plug in if requested.

The group policy change I'd done earlier with Run/gpedit for disabling autoplay for externals did not take on the MyBook. It took off again. I disabled it through the unit per your link which seems to have worked.

ST

Edited by stmach, 26 March 2012 - 01:32 AM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 26 March 2012 - 08:16 AM

Hello


the amount of time you will be on the internet without your AV will be short and you are already infected, If something else do happen to get on I will remove it also


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 26 March 2012 - 05:32 PM

Yes, I see. Didn't want to pick up something or something worse like I read here.

Do you already see something there from those logs then?

I have to get some data off before running CF.

P.S. btw, reading another thread driver/cdrom.sys disinfected ... I remember trying to do a short custom McAfee scan on a CD and I saw it scan C: windows area but not show anything about that drive. Tried it a couple times. Maybe that makes sense to scan windows but I expected to see results for the external drives and am reading how viruses will manipulate scans so they don't get run/found. Please let me know if scanning windows is expected behavior :) Maybe I just missed seeing the files pass by for the CD? (not much on there).

Edited by stmach, 26 March 2012 - 08:21 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 26 March 2012 - 08:19 PM

system check is pretty nasty and I am sure there will be stuff to remove


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 stmach

stmach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 26 March 2012 - 08:25 PM

No, I don't have System Check. That was a poor title choice, mentioned earlier. I had no idea System Check was a virus!

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 01 April 2012 - 08:35 PM

Hello


I will be waiting for the report



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users