Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

[Resolved] Browser Hijacking/Worms?


  • This topic is locked This topic is locked
30 replies to this topic

#1 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 26 November 2009 - 03:43 PM

Okay, so here's the deal:
[The 'infected' computer is running Windows 7 32-bit]
As of a couple days ago, every now and then I would hear some Target Black Friday sales commercial, but not have any idea where it came from. I did not have any windows open. I looked under processes the most recent time and found two "iexplore.exe" instances in the list. If i end the process (just one) they both end and the commercial stops. If I wait for the commercial to end, they also close.
Also, for at least a month "FontDriver.exe" has been in my startup on CCleaner, and apparently it shouldn't have been, but I'll get to that later.
So last night/today while I was doing Google searches, intermittently my links were being redirected through at least 5 other websites and then putting me at some random irrelavent page. I started a Mcaffee Full Scan and Microsoft Security Essentials full scan. MSE found a few "JS Explot"s that I removed or when it tried to remove them, the status became "not found". I then installed and ran a full scan on MalwareBytes. It found 9 infections. (Sorry, I don't have a log, I will when the current scan is done.) 1 was a Trojan/Downloader that was the "FontDriver.exe" I mentioned before, and the rest were classified as "Worm"s, at least 3 being .exe's in the /Fonts folder...
ClamAV Memory and HDD scans haven't picked much up yet. I'm beginning to get worried. This isn't a computer I can afford to have viruses on.
After I hit remove on MalwareBytes, my computer restarted (not sure if it was supposed to??) And so i began running more scans. A quick scan on MalwareBytes did not pick up anything, nor did a quick scan on McAfee. I'm doing a full scan on MalwareBytes now, and once it's done, I will post the previous and current logs of it. MSE in the meantime has picked up various "JS Exploits" or "/JS.Trojan"s and removed a few, but the rest became "Not Found". I will attach at the end of the post, screenshots and logs of what I can (including a HijackThis! logs).
Oh, and I get some weird error when I try to run RootRepeal... [Scrnshot also attached]
Oh, and the redirects happen in IE, FireFox and Google Chrome...
Please help me, thank you so much.

EDIT
Malwarebytes scan done, uploading logfile

UPDATE:
Okay, I have a few new logs, it found some more viruses, but one on MSE wasn't found again, one on ClmaAV didn't remove, nd that Target 2-Day sale commercial still plays. What the heck is going on?
Anyway, new logs. And a screenshot of what wasn't found after trying to remove in MSE
EDIT:
I've deleted about 30gb of stuff now. Scanned everything I can think of. I'm doing specific scans of folders with MalwareBytes and McAfee while MSE does a full scan. I've uninstalled stuff, etc. and the Google link redirecting is no longer intermittent, it's like every link. At least in FireFox, I uninstalled Chrome.
And I don't know if it's relevant (some people say everything is) but I can't use the "safely remove hardware" button in the system tray.
Thanks
EDIT2:
I thought I was clean, after a few links worked, but they still redirect again. DDS/RootRepeal won't work on Win7, I have RootReveal and GMER scanning now.
Here's HijackThis!
EDIT3:
Now no scanners are picking anything up, but I'm still being redirected. Please help!
I have GMER and RootkitReveal logs, but they have to be uploaded in separate posts due to size.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:05 AM, on 11/27/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\VistaSwitcher\vswitch.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
M:\RootkitRevealer.exe
M:\RootkitRevealer.exe
C:\Windows\system32\UI0Detect.exe
M:\hw76uoqv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\D3M0L1SH3R\Downloads\dds.scr
C:\Users\D3M0L1SH3R\Downloads\Tools.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [VistaSwitcher] "C:\Program Files\VistaSwitcher\vswitch.exe" /startup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: iifgedbc - iifgedbc.dll (file missing)
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FFVXNWL - Sysinternals - www.sysinternals.com - C:\Users\D3M0L1~1\AppData\Local\Temp\FFVXNWL.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GK - Sysinternals - www.sysinternals.com - C:\Users\D3M0L1~1\AppData\Local\Temp\GK.exe
O23 - Service: Google Update Service (gupdate1c9b3f31950a470) (gupdate1c9b3f31950a470) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 10615 bytes

Attached Thumbnails

  • DetectedTrojan.png
  • JRenosTrojan.png
  • not_found.png
  • RootRepealERROR.png

Attached Files


Edited by d3m0l1sh3r, 27 November 2009 - 07:48 AM.

Advertisement


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 12:58 PM

Hello d3m0l1sh3r! :welcome: Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

#3 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 02:32 PM

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. The logs from our tools can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • Logs from malware removal programs (DDS is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer, similar issues or not.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your anti-virus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within five days
    . I will post a reminder should you seem to fail to do this, however, if you fail to reply within five days then, unless I have been notified of your absence in advance, the topic shall be closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
Please post the logs that the tools produce, rather than attaching the logs to your post. If you find it necessary, you can go ahead and post each requested log in it's own post.

Scanning with DDS

Please download DDS by sUBs from one of the following links and save it to your desktop.
Posted Image
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
GMER
You said that you had the log from the GMER scan that you ran. It would be helpful if you could include that log in your next reply. If you are unable to locate that log then please follow the instructions below.

  • Right Click on GMER.exe and choose "Run as Administrator". If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS. (DDS.txt & Attach.txt)
2. The log from the GMER scan.
3. An update on how your computer is currently running.

#4 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 27 November 2009 - 02:58 PM

Hello SweetTech, thank you for your time, and I will certainly stick with it as well.
My Google links are still being intermittently redirected, but that is the only symptom I seem to be experiencing.
I have the DDS.txt, Attach.txt and GMER.log now. I am posting as much as I can, and uploading just in case it doesn't all fit - would you prefer i use more posts if needed to post all logs without attaching them?

DDS.TXT

DDS (Ver_09-11-24.02) - NTFSx86
Run by D3M0L1SH3R at 15:51:54.24 on Fri 11/27/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2047.961 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Windows\system32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\VistaSwitcher\vswitch.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\Digiarty\WinX DVD Author 5.5\NMSAccessU.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Windows\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\D3M0L1~1\AppData\Local\Temp\GK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Windows\explorer.exe
C:\Users\D3M0L1SH3R\Downloads\dds(2).scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar =
uSearch Page =
uStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [VistaSwitcher] "c:\program files\vistaswitcher\vswitch.exe" /startup
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\d3m0l1~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\mri_disabled\ASETRES.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: iifgedbc - iifgedbc.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\d3m0l1~1\appdata\roaming\mozilla\firefox\profiles\gsuvvm5j.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-24 93320]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 GK;GK;c:\users\d3m0l1~1\appdata\local\temp\GK.exe [2009-11-27 355200]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 gupdate1c9b3f31950a470;Google Update Service (gupdate1c9b3f31950a470);c:\program files\google\update\GoogleUpdate.exe [2009-4-2 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FFVXNWL;FFVXNWL;c:\users\d3m0l1~1\appdata\local\temp\FFVXNWL.exe [2009-11-27 433024]
S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-10-16 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-10-16 218608]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-31 163328]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

=============== Created Last 30 ================

2009-11-27 03:58:22 0 d-sh--w- C:\$RECYCLE.BIN
2009-11-26 18:02:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 18:02:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 18:02:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 16:09:48 0 d-----w- c:\program files\Microsoft Security Essentials
2009-11-25 03:20:35 0 d--h--w- c:\program files\Temp
2009-11-25 03:18:27 0 d-----w- c:\program files\ATI
2009-11-25 03:17:20 0 d-----w- c:\program files\ATI Technologies
2009-11-24 22:42:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 22:41:25 0 d-----w- c:\program files\MSXML 4.0
2009-11-24 06:14:11 0 d-----w- c:\programdata\Symantec
2009-11-24 06:14:11 0 d-----w- c:\programdata\Norton
2009-11-24 06:14:08 0 d-----w- c:\programdata\NortonInstaller
2009-11-23 23:01:59 83344 ----a-w- c:\windows\system32\Erasext.dll
2009-11-23 23:01:58 307088 ----a-w- c:\windows\system32\Eraser.dll
2009-11-23 23:01:46 0 d-----w- c:\program files\CCleaner
2009-11-21 04:07:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2009-11-21 03:49:24 9343 ----a-w- c:\windows\system32\drivers\NETLNEV5.INF
2009-11-21 03:49:24 7922 ----a-w- c:\windows\system32\drivers\NETLNEV5.CAT
2009-11-21 03:49:24 36013 ----a-w- c:\windows\system32\drivers\LNE100V5.SYS
2009-11-21 03:47:08 7952 ----a-w- c:\windows\system32\drivers\NETLNEV4.INF
2009-11-21 03:47:08 7153 ----a-w- c:\windows\system32\drivers\NETLNEV4.CAT
2009-11-21 03:47:08 31460 ----a-w- c:\windows\system32\drivers\LNE100V4.SYS
2009-11-20 22:58:03 299008 ----a-w- c:\windows\system32\drivers\m4cxvista.sys
2009-11-20 22:58:03 11738 ----a-w- c:\windows\system32\drivers\m4cxvista.cat
2009-11-20 22:58:03 112018 ----a-w- c:\windows\system32\drivers\m4cxvista.inf
2009-11-20 22:58:03 10752 ----a-w- c:\windows\system32\drivers\m4x32coinst.DLL
2009-11-20 02:27:09 0 d-----w- c:\program files\Audacity
2009-11-19 20:56:21 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-19 20:56:20 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-19 02:44:45 1108512 ----a-w- c:\windows\system32\nvcpluir.dll
2009-11-19 02:29:44 16496 ------w- c:\windows\system32\drivers\NVXBAR.SYS
2009-11-19 02:29:39 29696 ------w- c:\windows\system32\FILTER.AX
2009-11-19 02:29:39 141582 ------w- c:\windows\system32\drivers\NVCAP.SYS
2009-11-19 01:11:36 0 d-----w- c:\program files\NVIDIA Corporation
2009-11-19 01:08:47 0 d-----w- C:\NVIDIA
2009-11-14 21:05:35 0 d-----w- c:\program files\Unreal Tournament 3
2009-11-14 21:05:01 0 d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-11-14 18:01:06 0 d-----w- c:\windows\85EBB28365AF4C539EBE7C0A232762F7.TMP
2009-11-14 18:00:49 0 d-----w- c:\programdata\Media Center Programs
2009-11-14 17:55:20 78784 ----a-w- c:\windows\system32\ISUSPM.cpl
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-07 02:35:00 0 d-----w- c:\program files\Steam
2009-11-06 22:37:20 0 d-----w- c:\users\d3m0l1sh3r\.dvdcss
2009-11-06 15:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 15:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-06 15:58:04 178975 ----a-w- c:\windows\system32\xlive.dll.cat
2009-11-05 21:55:35 0 d-----w- c:\program files\Digiarty
2009-11-05 21:51:30 0 d---a-w- c:\programdata\TEMP
2009-11-05 20:49:37 0 d-----w- c:\program files\VideoLAN
2009-11-05 01:08:45 0 d-----w- c:\program files\Ventrilo
2009-11-05 01:08:43 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-11-05 01:05:52 0 d-----w- c:\users\d3m0l1~1\appdata\roaming\GameRanger
2009-11-05 00:04:12 0 d-----w- c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
2009-11-04 23:53:05 0 d-----w- c:\program files\2K Games
2009-11-04 23:52:24 0 d-----w- C:\BDS
2009-11-04 03:15:44 0 d-----w- c:\program files\iPod
2009-11-04 00:55:09 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-11-04 00:55:09 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-11-04 00:55:09 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-11-04 00:55:08 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-11-04 00:55:08 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-11-04 00:55:08 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-11-04 00:47:22 0 d-----w- c:\program files\Codemasters
2009-11-04 00:15:49 0 d-----w- c:\program files\Activision
2009-11-03 22:30:15 0 d-----w- c:\users\d3m0l1~1\appdata\roaming\Gmail Notifier Plus
2009-11-03 05:33:43 0 d-----w- c:\windows\Panther
2009-11-03 05:22:30 0 d--h--w- C:\$WINDOWS.~Q
2009-11-03 05:08:45 0 d--h--w- C:\$INPLACE.~TR
2009-11-03 04:20:23 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-03 04:10:36 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-03 04:10:33 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-03 04:10:32 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-03 04:10:32 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-03 04:10:32 2613248 ----a-w- c:\windows\explorer.exe
2009-11-03 04:10:32 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-03 04:10:31 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-03 04:10:31 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-03 04:10:31 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-03 04:10:29 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-03 04:06:00 0 d-----w- c:\program files\Alex Feinman
2009-11-03 03:57:38 0 d-----w- c:\windows\system32\wbem\Performance
2009-11-03 03:55:33 20 --sh--w- c:\users\d3m0l1sh3r\ntuser.ini
2009-11-03 03:55:25 0 d-sh--w- C:\Recovery
2009-11-03 03:40:19 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-03 02:42:06 731366 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-03 02:41:46 0 d-----w- c:\windows\system32\URTTEMP
2009-11-03 02:41:32 0 d-sh--w- c:\windows\Installer
2009-11-03 02:38:18 0 d-----w- c:\windows\system32\RTCOM
2009-11-03 02:37:51 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2009-11-03 02:37:51 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2009-11-03 02:37:37 0 d-----w- c:\program files\Motorola
2009-11-03 02:37:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-03 00:30:17 1890 ----a-w- c:\windows\diagwrn.xml
2009-11-03 00:30:17 1890 ----a-w- c:\windows\diagerr.xml
2009-11-02 23:05:36 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 23:05:34 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-01 05:12:17 218 ----a-w- c:\users\d3m0l1sh3r\.recently-used.xbel
2009-11-01 03:04:26 0 d-----w- c:\program files\TLC
2009-11-01 03:04:11 289280 ----a-w- c:\windows\uninst.exe

==================== Find3M ====================

2009-11-19 00:36:06 223432 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-11-19 00:32:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-19 00:32:33 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-11-19 00:14:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-15 02:54:47 242004 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 01:38:30 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-28 14:22:00 364544 ----a-w- c:\windows\system32\yk62x86.dll
2009-09-27 22:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 22:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 22:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:47:00 150120 ----a-w- c:\windows\system32\nvshext.dll
2009-09-27 22:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 22:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 03:47:13 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-25 16:41:28 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-17 23:46:49 19523 ----a-w- c:\windows\hpqins13.dat
2009-09-09 23:47:26 192512 --sha-w- c:\windows\fonts\ICSharpCode.SharpZipLib.dll
2009-09-06 00:33:15 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-04 21:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2006-05-03 09:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:52:57.77 ===============




ATTACH,TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 11/2/2009 11:55:27 PM
System Uptime: 11/26/2009 8:14:33 PM (19 hours ago)

Motherboard: Acer | | F690GVM
Processor: AMD Athlon™ X2 Dual Core Processor BE-2350 | Socket AM2 | 2100/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 59.386 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (NTFS) - 144 GiB total, 85.511 GiB free.
J: is Removable
K: is Removable
M: is Removable
N: is Removable
O: is Removable

==== Disabled Device Manager Items =============

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: sptd
Device ID: ROOT\LEGACY_SPTD\0000
Manufacturer:
Name: sptd
PNP Device ID: ROOT\LEGACY_SPTD\0000
Service: sptd

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&18D45AA6&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&18D45AA6&0
Service: i8042prt

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Bluetooth Device (Personal Area Network)
Device ID: BTH\MS_BTHPAN\6&3A41987D&0&2
Manufacturer: Microsoft
Name: Bluetooth Device (Personal Area Network)
PNP Device ID: BTH\MS_BTHPAN\6&3A41987D&0&2
Service: BthPan

==== System Restore Points ===================

RP62: 11/26/2009 10:14:34 PM - Removed 802.11g Driver and Client Applications
RP63: 11/26/2009 10:18:45 PM - Removed HuluDesktopIntegration
RP66: 11/26/2009 10:20:42 PM - Removed Quake 4™
RP67: 11/26/2009 10:20:43 PM - Removed Prototype™
RP69: 11/26/2009 10:26:21 PM - Removed Star Wars Battlefront II
RP70: 11/26/2009 10:30:48 PM - Removed Paint.NET v3.5
RP71: 11/27/2009 9:00:50 AM - Windows Update

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7-Zip 9.07 beta
AAC Decoder
Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer Registration
Acer ScreenSaver
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Aspell English Dictionary-0.50-2
Audacity 1.2.6
AutoHotkey 1.0.48.03
AutoUpdate
BlueJ 2.5.1
Bonjour
Borderlands
BufferChm
C5200
C5200_doccd
c5200_Help
Call of Duty® - World at War™ 1.1 Patch
Call of Duty® - World at War™ 1.2 Patch
Call of Duty® - World at War™ 1.3 Patch
Call of Duty® - World at War™ 1.4 Patch
Call of Duty® - World at War™ 1.5 Patch
CCleaner
Clive Barker's Jericho
Connect
Copy
Copy Path Shell Extension
Counter-Strike: Source
Crysis WARHEAD®
CyberLink PhotoNow
CyberLink PowerDirector
Dead Space™
Defraggler
Destination Component
Dev-C++ 5 beta 9 release (4.9.9.2)
DeviceDiscovery
DeviceManagementQFolder
DisplayFusion 3.1.5
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
Download Manager 2.3.9
Dungeons and Dragons Online™ - Eberron Unlimited™ - Live
eSupportQFolder
Fax
FileHippo.com Update Checker
FLAC 1.2.1b (remove only)
GameRanger
GameSpy Arcade
Gears of War
GNU Aspell 0.50-3
Google Gears
Google Update Helper
GTK+ Runtime 2.14.7 rev a (remove only)
Guifications Plugin (remove only)
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 3.5
HP Solution Center 9.0
HP Update
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
InfraRecorder
ISO Recorder
iTunes
Java DB 10.4.2.1
Java™ 6 Update 17
Java™ SE Development Kit 6 Update 14
Java™ SE Development Kit 6 Update 16
Java™ SE Development Kit 6 Update 2
Junk Mail filter update
kuler
LightScribe 1.4.142.1
Logitech Gaming Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MCE Software Encoder 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Game Studio 3.1
Microsoft XNA Game Studio 3.1 (ARP entry)
Microsoft XNA Game Studio 3.1 (Platformer)
Microsoft XNA Game Studio 3.1 (Redists)
Microsoft XNA Game Studio 3.1 (Shared Components)
Microsoft XNA Game Studio 3.1 (VCSExpress)
Microsoft XNA Game Studio 3.1 (XnaLiveProxy)
Microsoft XNA Game Studio 3.1 Documentation
Microsoft XNA Game Studio Platform Tools
MKV Splitter
MobileMe Control Panel
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Notepad++
NTI CD & DVD-Maker
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA WDM Drivers
OGA Notifier 2.0.0048.0
OpenSSL 0.9.8k (32-bit)
Paint.NET v3.5
PanoStandAlone
PDF Settings CS4
PE585QA-32
PG583_32_inf
Photoshop Camera Raw
Pidgin
Pidgin-Encryption Plugin (remove only)
Pidgin-Musictracker plugin (remove only)
pidgin-otr 3.2.0-1
PowerMenu 1.51
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_min
PSSWCORE
PVSonyDll
Python 2.5 MySQL-python-1.2.2
Python 2.5 pysqlite-2.4.1
Python 2.5.2
Python 2.6
Python 2.6 pysqlite-2.5.1
Python 2.6 reportlab-2.3
QuickTime
RealPlayer
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
SmartSound Quicktracks Plugin
SolutionCenter
SQL Server System CLR Types
Status
Steam
Strawberry Perl 5.10.0.5
Suite Shared Configuration CS4
SUPER © Version 2009.bld.36 (June 10, 2009)
TI Connect 1.6
Toolbox
TortoiseSVN 1.6.6.17493 (32 bit)
TrayApp
TrueCrypt
Turbine Download Manager - Live
UnloadSupport
Unlocker 1.8.8
Unreal Tournament 3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
VideoToolkit01
VistaSwitcher
VLC media player 1.0.3
Warcraft III
Warcraft III: All Products
WebReg
WIDCOMM Bluetooth Software 6.0.1.5300
Windows 7 Upgrade Advisor
Windows Installer Clean Up
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinX DVD Author 5.5.8
WinX DVD Ripper Platinum 5.1.1
Wolfenstein
Xilisoft DVD Ripper Platinum 5

==== Event Viewer Messages From Past Week ========

11/27/2009 9:23:22 AM, Error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 5 time(s).
11/27/2009 12:44:48 AM, Error: Service Control Manager [7030] - The GK service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
11/27/2009 12:44:37 AM, Error: Service Control Manager [7034] - The FFVXNWL service terminated unexpectedly. It has done this 1 time(s).
11/27/2009 12:31:36 AM, Error: Service Control Manager [7030] - The FFVXNWL service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
11/27/2009 12:08:09 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147609530 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: TrojanDownloader:JS/Renos ID: 2147609530 Severity: High Category: Trojan Downloader Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/27/2009 12:03:26 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147542430 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Trojan:Unix/Rootkit.C ID: 2147542430 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/27/2009 1:09:54 AM, Error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 4 time(s).
11/26/2009 9:15:23 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147605014 User: NT AUTHORITY\SYSTEM Name: TrojanProxy:Win32/Bunitu.A ID: 2147605014 Severity: Severe Category: Trojan Proxy Server Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 8:54:55 PM, Error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/26/2009 8:16:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
11/26/2009 8:16:45 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the eSettings Service service to connect.
11/26/2009 8:16:45 PM, Error: Service Control Manager [7000] - The eSettings Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/26/2009 8:16:42 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the eRecovery Service service to connect.
11/26/2009 8:16:42 PM, Error: Service Control Manager [7000] - The eRecovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/26/2009 8:15:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the ePerformance Service service to connect.
11/26/2009 8:15:24 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
11/26/2009 8:14:35 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
11/26/2009 8:13:11 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
11/26/2009 8:11:11 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147626071 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Trojan:Win32/Orsam!rts ID: 2147626071 Severity: High Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 7:10:16 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147628718 User: NT AUTHORITY\SYSTEM Name: TrojanClicker:Win32/Yabector.gen ID: 2147628718 Severity: Severe Category: Trojan Notifier Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 4:55:39 PM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
11/26/2009 4:01:30 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147629360 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Exploit:Java/CVE-2008-5353.C ID: 2147629360 Severity: Severe Category: Exploit Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 3:24:30 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147609530 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: TrojanDownloader:JS/Renos ID: 2147609530 Severity: High Category: Trojan Downloader Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 3:20:42 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147628639 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Trojan:Win32/Alureon.CT ID: 2147628639 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 12:37:23 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147629733 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: PWS:Win32/OnLineGames.GL ID: 2147629733 Severity: Severe Category: Password Stealer Path: Action: Quarantine Error Code: 0x80070002 Error description: The system cannot find the file specified. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 12:37:22 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147629733 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: PWS:Win32/OnLineGames.GL ID: 2147629733 Severity: Severe Category: Password Stealer Path: Action: Remove Error Code: 0x80070005 Error description: Access is denied. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 11:56:46 PM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
11/26/2009 11:55:06 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147572028 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Exploit:JS/SetSlice ID: 2147572028 Severity: Severe Category: Exploit Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 11:45:53 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft....atid=2147629360 User: D3M0L1SH3R-PC\D3M0L1SH3R Name: Exploit:Java/CVE-2008-5353.C ID: 2147629360 Severity: Severe Category: Exploit Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.71.269.0, AS: 1.71.269.0 Engine Version: 1.1.5302.0
11/26/2009 10:41:19 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/26/2009 10:40:56 PM, Error: Service Control Manager [7031] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/26/2009 10:40:51 PM, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
11/26/2009 10:40:44 PM, Error: Service Control Manager [7034] - The eDataSecurity Service service terminated unexpectedly. It has done this 1 time(s).
11/26/2009 10:40:29 PM, Error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s).
11/26/2009 10:02:02 PM, Error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/24/2009 5:48:47 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800705b4: nVidia - Display - NVIDIA Geforce 9800 GT.
11/24/2009 3:12:41 PM, Error: Service Control Manager [7023] - The Power service terminated with the following error: The WMI request could not be completed and should be retried.
11/24/2009 10:31:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070103: nVidia - Display - NVIDIA Geforce 9800 GT.
11/24/2009 10:25:31 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk7\DR7.
11/24/2009 10:20:44 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{F57BBA15-17EB-4E0C-92B6-3846F146FDA0} because another computer on the network has the same name. The server could not start.
11/23/2009 9:17:32 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk7\DR10.
11/23/2009 7:44:14 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

==== End Of File ===========================


GMER.LOG

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 08:31:53
Windows 6.1.7600
Running: hw76uoqv.exe; Driver: C:\Users\D3M0L1~1\AppData\Local\Temp\afdoiuoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E31AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E31104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E313F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E19634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E19898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E311DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E31958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E316F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E31F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E321A8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F47B79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F47B738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F47B74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F47B762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F47B7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F47B81F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F47B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F47B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F47B7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F47B833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F47B78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F47B776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F47B80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F47B7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F47B7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82E79128 5 Bytes JMP 8F47B7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E91579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 9E35CC9D 28 Bytes [4F, 58, C6, 85, 4A, 96, 89, ...]
.text peauth.sys 9E35CCC1 28 Bytes [4F, 58, C6, 85, 4A, 96, 89, ...]
? C:\Program Files\WinMountPortable\App\SysDir\drivers\WMDrive.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[504] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 006C0F65
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 006C0F28
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 006C0F39
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 006C0FD4
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 006C008E
.text C:\Windows\system32\services.exe[504] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 006C0F8A
.text C:\Windows\system32\services.exe[504] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 006C0062
.text C:\Windows\system32\services.exe[504] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 006C0051
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 006C0FE5
.text C:\Windows\system32\services.exe[504] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 006C0F17
.text C:\Windows\system32\services.exe[504] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 006C0FAF
.text C:\Windows\system32\services.exe[504] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 006C0036
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 006C0000
.text C:\Windows\system32\services.exe[504] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 006C00A9
.text C:\Windows\system32\services.exe[504] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 006C0025
.text C:\Windows\system32\services.exe[504] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 006C0F4A
.text C:\Windows\system32\services.exe[504] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 006C007D
.text C:\Windows\system32\services.exe[504] msvcrt.dll!_open 76427E48 5 Bytes JMP 00020000
.text C:\Windows\system32\services.exe[504] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 0002003D
.text C:\Windows\system32\services.exe[504] msvcrt.dll!system 7645B16F 5 Bytes JMP 00020FB2
.text C:\Windows\system32\services.exe[504] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 00020022
.text C:\Windows\system32\services.exe[504] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00020FC3
.text C:\Windows\system32\services.exe[504] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00020011
.text C:\Windows\system32\services.exe[504] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 003E0FEF
.text C:\Windows\system32\services.exe[504] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 003E000A
.text C:\Windows\system32\services.exe[504] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 003E001B
.text C:\Windows\system32\services.exe[504] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 003E0FCA
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 006B0FE5
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 006B0FB6
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 006B0058
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 006B003D
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 006B0000
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 006B0FA5
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 1 Byte [E9]
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 006B0011
.text C:\Windows\system32\services.exe[504] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 006B0022
.text C:\Windows\system32\services.exe[504] WS2_32.dll!socket 76643F00 5 Bytes JMP 006D000A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00660065
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00660EEB
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00660F06
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00660FB9
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00660054
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00660F57
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 0066002F
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00660F68
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 0066000A
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00660ED0
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00660F94
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00660F79
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00660FEF
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 00660076
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00660FCA
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00660F21
.text C:\Windows\system32\lsass.exe[536] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00660F46
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_open 76427E48 5 Bytes JMP 000D000C
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 000D0069
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!system 7645B16F 5 Bytes JMP 000D0044
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 000D0029
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 000D0FD4
.text C:\Windows\system32\lsass.exe[536] msvcrt.dll!_wopen 76460570 5 Bytes JMP 000D0FEF
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 000E0000
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 000E001B
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 000E0036
.text C:\Windows\system32\lsass.exe[536] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 000E0047
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00100FE5
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00100FB9
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00100F94
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00100040
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 0010000A
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00100F83
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00100025
.text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00100FD4
.text C:\Windows\system32\lsass.exe[536] WS2_32.dll!socket 76643F00 5 Bytes JMP 000F000A
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00730091
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00730F57
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 007300E2
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00730FDB
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00730F68
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00730076
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00730F9E
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 0073005B
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 0073001B
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00730107
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00730FCA
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00730FB9
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00730000
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 007300B6
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 0073002C
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 007300C7
.text C:\Windows\system32\svchost.exe[704] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00730F83
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!_open 76427E48 5 Bytes JMP 005C0FE3
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 005C0027
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!system 7645B16F 5 Bytes JMP 005C0F9C
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 005C0FB7
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 005C0016
.text C:\Windows\system32\svchost.exe[704] msvcrt.dll!_wopen 76460570 5 Bytes JMP 005C0FD2
.text C:\Windows\system32\svchost.exe[704] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 0071000A
.text C:\Windows\system32\svchost.exe[704] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 00710FE5
.text C:\Windows\system32\svchost.exe[704] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 0071001B
.text C:\Windows\system32\svchost.exe[704] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00710FC0
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00720FE5
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00720047
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00720058
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00720FB6
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 0072000A
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00720069
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 0072001B
.text C:\Windows\system32\svchost.exe[704] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 0072002C
.text C:\Windows\system32\svchost.exe[704] WS2_32.dll!socket 76643F00 5 Bytes JMP 00790FEF
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 006E0087
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 006E00C4
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 006E0F2F
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 006E0FC0
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 006E0076
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 006E0047
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 006E0F79
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 006E0F94
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 006E0FDB
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 006E00E9
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 006E002C
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 006E0FA5
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 006E0000
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 006E0098
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 006E0011
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 006E00A9
.text C:\Windows\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 006E0F5E
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!_open 76427E48 5 Bytes JMP 005A0000
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 005A0FCA
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!system 7645B16F 5 Bytes JMP 005A0055
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 005A0029
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 005A0044
.text C:\Windows\system32\svchost.exe[808] msvcrt.dll!_wopen 76460570 5 Bytes JMP 005A0FEF
.text C:\Windows\system32\svchost.exe[808] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00640000
.text C:\Windows\system32\svchost.exe[808] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 0064001B
.text C:\Windows\system32\svchost.exe[808] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00640FE5
.text C:\Windows\system32\svchost.exe[808] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00640036
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 006D000A
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 006D003D
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 006D0FAC
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 006D0058
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 006D001B
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 006D0069
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 006D0FDB
.text C:\Windows\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 006D002C
.text C:\Windows\system32\svchost.exe[808] WS2_32.dll!socket 76643F00 5 Bytes JMP 006C0FEF
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00860098
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00860F2F
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 008600C4
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00860000
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00860F79
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00860062
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00860051
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00860F94
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00860FCA
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 008600DF
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 0086001B
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00860036
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00860FE5
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 008600B3
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00860FAF
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00860F54
.text C:\Windows\System32\svchost.exe[980] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00860087
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_open 76427E48 5 Bytes JMP 00790000
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00790055
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!system 7645B16F 5 Bytes JMP 00790FD4
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 00790044
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00790FEF
.text C:\Windows\System32\svchost.exe[980] msvcrt.dll!_wopen 76460570 5 Bytes JMP 0079001D
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 007A0FE5
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 007A000A
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 007A0FD4
.text C:\Windows\System32\svchost.exe[980] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 007A0025
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 007C0000
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 007C0025
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 007C0051
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 007C0040
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 007C0FE5
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 007C0F94
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 007C0FCA
.text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 007C0FB9
.text C:\Windows\System32\svchost.exe[980] WS2_32.dll!socket 76643F00 5 Bytes JMP 007B0000
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00CE0084
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00CE0F25
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00CE00C4
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00CE0025
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00CE0073
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00CE0051
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00CE0F79
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00CE0F9E
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00CE000A
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00CE00D5
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00CE0FB9
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00CE0040
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00CE0FEF
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 00CE0F4A
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00CE0FCA
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00CE00A9
.text C:\Windows\System32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00CE0062
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!_open 76427E48 5 Bytes JMP 00C60FEF
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00C60038
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!system 7645B16F 5 Bytes JMP 00C60027
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 00C60FC1
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00C6000C
.text C:\Windows\System32\svchost.exe[1052] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00C60FD2
.text C:\Windows\System32\svchost.exe[1052] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00C70FEF
.text C:\Windows\System32\svchost.exe[1052] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 00C7000A
.text C:\Windows\System32\svchost.exe[1052] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00C7001B
.text C:\Windows\System32\svchost.exe[1052] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00C7002C
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00CD000A
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00CD002F
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00CD0054
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00CD0FA8
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 00CD0FE5
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00CD0065
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00CD0FD4
.text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00CD0FC3
.text C:\Windows\System32\svchost.exe[1052] WS2_32.dll!socket 76643F00 5 Bytes JMP 00CC000A
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00D90F65
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00D90F28
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00D900B3
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00D90FD1
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00D90098
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00D90073
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00D90FA5
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00D90062
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00D90011
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00D90F17
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00D90FC0
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00D90051
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 00D90F54
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00D9002C
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00D90F43
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00D90F8A
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_open 76427E48 5 Bytes JMP 00870FE3
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00870F90
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!system 7645B16F 5 Bytes JMP 0087001B
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 0087000A
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00870FB5
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00870FC6
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00BE0FEF
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 00BE0FD4
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00BE0FB9
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00BE0014
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00C40FEF
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00C40025
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00C4004A
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00C40F9E
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 00C40FD4
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00C40F83
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00C40FB9
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00C4000A
.text C:\Windows\system32\svchost.exe[1092] WS2_32.dll!socket 76643F00 5 Bytes JMP 00BF0000
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 006300A5
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00630F2B
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 006300C0
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00630FC3
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00630F7C
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00630FA8
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00630076
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 0063005B
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00630FEF
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 006300DB
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 0063002F
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 0063004A
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00630000
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 00630F61
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00630FD4
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00630F50
.text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00630F8D
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_open 76427E48 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 002E0049
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!system 7645B16F 5 Bytes JMP 002E0FC8
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 002E0027
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 002E0038
.text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wopen 76460570 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[1256] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe[1256] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 00580FDB
.text C:\Windows\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00580011
.text C:\Windows\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00580FC0
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 005E0000
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 005E0047
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 005E0069
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 005E0058
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 005E0025
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 005E0084
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 005E0036
.text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 005E0FDB
.text C:\Windows\system32\svchost.exe[1256] WS2_32.dll!socket 76643F00 5 Bytes JMP 00590FEF
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 006B00B0
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 006B0F40
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 006B00D5
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 006B002F
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 006B0F87
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 006B008E
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 006B007D
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 006B006C
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 006B0FDE
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 006B00E6
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 006B0040
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 006B005B
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 006B0FEF
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 006B0F76
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 006B001E
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 006B0F5B
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 006B009F
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_open 76427E48 5 Bytes JMP 00620000
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 0062005B
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!system 7645B16F 5 Bytes JMP 00620036
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 00620FD7
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00620FC6
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00620011
.text C:\Windows\system32\svchost.exe[1468] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00630000
.text C:\Windows\system32\svchost.exe[1468] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 0063001B
.text C:\Windows\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00630FE5
.text C:\Windows\system32\svchost.exe[1468] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00630040
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00660000
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00660051
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00660FAF
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00660FC0
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 0066001B
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00660F94
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00660FE5
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00660036
.text C:\Windows\system32\svchost.exe[1468] WS2_32.dll!socket 76643F00 5 Bytes JMP 00650FE5
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 011C0F83
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 011C00F0
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 011C00DF
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 011C0FCA
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 011C00A2
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 011C0F9E
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 011C0076
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 011C0051
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 011C0FE5
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 011C010B
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 011C0FB9
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 011C0040
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 011C0000
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 011C00BD
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 011C001B
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 011C00CE
.text C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 011C0091
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_open 76427E48 5 Bytes JMP 01140000
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 01140F9F
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!system 7645B16F 5 Bytes JMP 01140FB0
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 01140FD2
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 01140FC1
.text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wopen 76460570 5 Bytes JMP 01140FE3
.text C:\Windows\system32\svchost.exe[1764] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 0119000A
.text C:\Windows\system32\svchost.exe[1764] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 01190FE5
.text C:\Windows\system32\svchost.exe[1764] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 01190FD4
.text C:\Windows\system32\svchost.exe[1764] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 01190FC3
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 011B0000
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 011B0FD4
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 011B0065
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 011B0FC3
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 011B0011
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 011B0FB2
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 011B0036
.text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 011B0FE5
.text C:\Windows\system32\svchost.exe[1764] WS2_32.dll!socket 76643F00 5 Bytes JMP 011A0000
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 007900A2
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00790F14
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00790F2F
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00790FC3
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00790087
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 0079006C
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 0079005B
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00790F9E
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00790FD4
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 007900C4
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 0079002F
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00790040
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00790FEF
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 007900B3
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00790014
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00790F4A
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00790F79
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_open 76427E48 5 Bytes JMP 006E0FEF
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 006E0033
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!system 7645B16F 5 Bytes JMP 006E0FA8
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 006E0FC3
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 006E0018
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wopen 76460570 5 Bytes JMP 006E0FDE
.text C:\Windows\system32\svchost.exe[1848] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[1848] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 006F0FDE
.text C:\Windows\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 006F001E
.text C:\Windows\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 006F0039
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00700FEF
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 0070002F
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00700FA8
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 0070004A
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 00700FDE
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 0070006F
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00700FC3
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00700014
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00700F8A
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 007000D8
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00700F43
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00700040
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 007000BD
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00700091
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00700076
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00700FB9
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 0070001B
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00700F1E
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 0070005B
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00700FD4
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 00700F79
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00700FEF
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00700F5E
.text C:\Windows\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 007000A2
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!_open 76427E48 5 Bytes JMP 006C0FEF
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 006C0018
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!system 7645B16F 5 Bytes JMP 006C0F97
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 006C0FCD
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 006C0FB2
.text C:\Windows\system32\svchost.exe[1852] msvcrt.dll!_wopen 76460570 5 Bytes JMP 006C0FDE
.text C:\Windows\system32\svchost.exe[1852] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 006D0000
.text C:\Windows\system32\svchost.exe[1852] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 006D001B
.text C:\Windows\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 006D0036
.text C:\Windows\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 006D0051
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 006F0FE5
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 006F0FAF
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 006F0051
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 006F0036
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 006F0FD4
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 006F0F94
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 006F0000
.text C:\Windows\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 006F001B
.text C:\Windows\system32\svchost.exe[1852] WS2_32.dll!socket 76643F00 5 Bytes JMP 006E0FEF
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 040C00AC
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 040C00D8
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 040C0F43
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 040C001B
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 040C0F83
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 040C0076
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 040C005B
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 040C0F9E
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 040C000A
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 040C0F28
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 040C0040
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 040C0FB9
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 040C0FEF
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 040C00BD
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 040C0FD4
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 040C0F5E
.text C:\Windows\Explorer.EXE[1860] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 040C0091
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 04070FEF
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 04070FAF
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 04070F8D
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 04070F9E
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 04070000
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegCreateKeyExW 7677B946 1 Byte [E9]
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 0407004A
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 04070FCA
.text C:\Windows\Explorer.EXE[1860] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 04070025
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!_open 76427E48 5 Bytes JMP 03DF0000
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 03DF002C
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!system 7645B16F 5 Bytes JMP 03DF0FAB
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 03DF0FD7
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 03DF0FBC
.text C:\Windows\Explorer.EXE[1860] msvcrt.dll!_wopen 76460570 5 Bytes JMP 03DF0011
.text C:\Windows\Explorer.EXE[1860] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 03E4000A
.text C:\Windows\Explorer.EXE[1860] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 03E40025
.text C:\Windows\Explorer.EXE[1860] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 03E40036
.text C:\Windows\Explorer.EXE[1860] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 03E40047
.text C:\Windows\Explorer.EXE[1860] WS2_32.dll!socket 76643F00 5 Bytes JMP 04020000
.text C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe[2292] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 0041C130 C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe[2292] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 0041C1B0 C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 005B0087
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 005B00B3
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 005B0F1E
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 005B0011
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 005B0F54
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 005B0058
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 005B0F8A
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 005B0047
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 005B0FCA
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 005B00CE
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 005B002C
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 005B0FA5
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 005B0FEF
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 005B0098
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 005B0000
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 005B0F39
.text C:\Windows\System32\svchost.exe[2764] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 005B0F65
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!_open 76427E48 5 Bytes JMP 00250000
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00250F9C
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!system 7645B16F 5 Bytes JMP 00250FAD
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 0025001D
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00250FC8
.text C:\Windows\System32\svchost.exe[2764] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00250FE3
.text C:\Windows\System32\svchost.exe[2764] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 00580000
.text C:\Windows\System32\svchost.exe[2764] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 00580FE5
.text C:\Windows\System32\svchost.exe[2764] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 00580FD4
.text C:\Windows\System32\svchost.exe[2764] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 00580025
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 005A0000
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 005A0058
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 005A0FD1
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 005A0069
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 005A0011
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 005A008E
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 005A0036
.text C:\Windows\System32\svchost.exe[2764] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 005A0047
.text C:\Windows\System32\svchost.exe[2764] WS2_32.dll!socket 76643F00 5 Bytes JMP 00590FEF
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 00540098
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00540F14
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00540F25
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00540036
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 00540F65
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00540F9B
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 0054007D
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00540FC0
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 00540025
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 005400BA
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00540047
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00540058
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateFileA 77C428FC 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00540000
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 005400A9
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 00540FE5
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 00540F40
.text C:\Windows\System32\svchost.exe[3416] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00540F8A
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!_open 76427E48 5 Bytes JMP 0002000C
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00020055
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!system 7645B16F 5 Bytes JMP 00020FCA
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 00020033
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00020044
.text C:\Windows\System32\svchost.exe[3416] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00020FEF
.text C:\Windows\System32\svchost.exe[3416] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 003A0FEF
.text C:\Windows\System32\svchost.exe[3416] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 003A0000
.text C:\Windows\System32\svchost.exe[3416] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 003A0FCA
.text C:\Windows\System32\svchost.exe[3416] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 003A001B
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00530000
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00530F9E
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00530025
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00530F83
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 00530FE5
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00530F72
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00530FCA
.text C:\Windows\System32\svchost.exe[3416] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00530FB9
.text C:\Windows\System32\svchost.exe[3416] WS2_32.dll!socket 76643F00 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!GetStartupInfoA 77BF1DF0 5 Bytes JMP 000600C4
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateProcessW 77BF202D 5 Bytes JMP 00060101
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateProcessA 77BF2062 5 Bytes JMP 00060F6C
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateNamedPipeW 77C21FD6 5 Bytes JMP 00060036
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreatePipe 77C24A8B 5 Bytes JMP 000600A9
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!VirtualProtect 77C350AB 5 Bytes JMP 00060F9B
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!LoadLibraryExW 77C3B6BF 5 Bytes JMP 00060073
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!LoadLibraryExA 77C3BC8B 5 Bytes JMP 00060062
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateFileW 77C40B5D 5 Bytes JMP 0006000A
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!GetProcAddress 77C41837 5 Bytes JMP 00060F51
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!LoadLibraryA 77C42864 5 Bytes JMP 00060051
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!LoadLibraryW 77C428B2 5 Bytes JMP 00060FCA
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateFileA 77C428FC 5 Bytes JMP 00060FE5
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!GetStartupInfoW 77C47CB5 5 Bytes JMP 000600D5
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!CreateNamedPipeA 77C7D4DF 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!WinExec 77C7E695 5 Bytes JMP 000600E6
.text C:\Windows\system32\svchost.exe[4060] kernel32.dll!VirtualProtectEx 77C7F651 5 Bytes JMP 00060098
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!_open 76427E48 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!_wsystem 7645B04F 5 Bytes JMP 00080FBC
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!system 7645B16F 5 Bytes JMP 00080047
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!_creat 7645ED29 5 Bytes JMP 0008001B
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!_wcreat 7646038E 5 Bytes JMP 00080036
.text C:\Windows\system32\svchost.exe[4060] msvcrt.dll!_wopen 76460570 5 Bytes JMP 00080FE3
.text C:\Windows\system32\svchost.exe[4060] WININET.dll!InternetOpenA 764D7E1C 5 Bytes JMP 000C0FEF
.text C:\Windows\system32\svchost.exe[4060] WININET.dll!InternetOpenW 764D9DA0 5 Bytes JMP 000C0FDE
.text C:\Windows\system32\svchost.exe[4060] WININET.dll!InternetOpenUrlA 764DDC18 5 Bytes JMP 000C001E
.text C:\Windows\system32\svchost.exe[4060] WININET.dll!InternetOpenUrlW 7652DC14 5 Bytes JMP 000C0FC3
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyA 7676D2ED 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyA 7676D3C1 5 Bytes JMP 00180FAC
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExA 76771B71 5 Bytes JMP 00180F80
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyW 76771CC0 5 Bytes JMP 00180F9B
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyW 76773129 5 Bytes JMP 00180FDB
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExW 7677B946 5 Bytes JMP 00180F65
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExA 7677BC0D 5 Bytes JMP 00180011
.text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExW 7677BEC4 5 Bytes JMP 00180022

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7424250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74242494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74225624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74238573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74234D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74238819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7423907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7423E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74234C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf
861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [00831B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [008327E0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [008311D0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2324] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlReAllocateHeap] [6E599832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlSizeHeap] [6E59A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlLockHeap] [6E5994D8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlUnlockHeap] [6E5994E8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlDestroyHeap] [6E5994B8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlCreateHeap] [6E5994A8] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\kernel32.dll [ntdll.dll!RtlExitUserProcess] [6E59AA9E] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\WS2_32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlSizeHeap] [6E59A27D] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlReAllocateHeap] [6E599832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\USER32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\GDI32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [ntdll.dll!RtlReAllocateHeap] [6E599832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\ole32.dll [ntdll.dll!RtlReAllocateHeap] [6E599832] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\CRYPT32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\Iphlpapi.DLL [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\Iphlpapi.DLL [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\Secur32.dll [ntdll.dll!RtlAllocateHeap] [6E5992CD] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\Secur32.dll [ntdll.dll!RtlFreeHeap] [6E599E78] C:\Windows\AppPatch\AcXtrnal.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Steam\Steam.exe[2740] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75DA5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[4952] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [04771B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[4952] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [047727E0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[4952] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [047711D0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume13 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume15 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ACPI_HAL \Device\00000063 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\00000097 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 859982F6

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [444:5348] 99406BF8
Thread csrss.exe [444:5484] 99404934

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0002720f7108
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0A5C&PID_2101#0002720F7108#{0850302a-b344-4fda-9be9-90576b8d46f0}
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0A5C&PID_2101#0002720F7108#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Write Scan Enable 3
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002@COD Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002@Scans Before Out of Range 8
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002@SCO Max Channels 2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0002@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0002720f7108 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0A5C&PID_2101#0002720F7108#{0850302a-b344-4fda-9be9-90576b8d46f0}
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0A5C&PID_2101#0002720F7108#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Write Scan Enable 3
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002@BackupContext 0x02 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002@COD Type 1
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002@Scans Before Out of Range 8
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002@SCO Max Channels 2
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0002@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#5 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 05:50 PM

I have the DDS.txt, Attach.txt and GMER.log now. I am posting as much as I can, and uploading just in case it doesn't all fit - would you prefer i use more posts if needed to post all logs without attaching them?

Yes I would prefer that you use more posts if required in order to post all of the logs without attaching.

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.


#6 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 27 November 2009 - 06:06 PM

SweetTech Will you please take a look at the attached screenshot? It is the NirCmd/C virus that was supposedly removed by one of my programs before in the Processes tab in the task manager along with the iexplore.exe processes that I did not run. If I end one of them, more stop, so I'm leaving them alone for now. ALSO; in the screenshot is the warning I get about ComboFix not being safe for my computer, so I wanted your re-approval to run it before I go through with it. Thank you.

Attached Thumbnails

  • nircmd_and_combofix.png


#7 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 09:23 PM

Will you please take a look at the attached screenshot? It is the NirCmd/C virus that was supposedly removed by one of my programs before in the Processes tab in the task manager along with the iexplore.exe processes that I did not run. If I end one of them, more stop, so I'm leaving them alone for now.
ALSO;
in the screenshot is the warning I get about ComboFix not being safe for my computer, so I wanted your re-approval to run it before I go through with it. Thank you.

Lets see what happens after you run ComboFix. Please go ahead and allow ComboFix to run.

#8 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 27 November 2009 - 09:52 PM

Okay, I ran it as administrator, following your instructions, it backed up the registry, scanned for a minute and said "The scan has found rootkit activity on your system, ComboFix needs to reboot your computer to remove these" (I paraphrased, may not have been exact words.) But it's been at the "Shutting down..." screen for at least 5 minutes now. Does it normally take very long to reboot? Or do I need to force it to shut down at some point? And, btw, the little circle next to "Shutting down..." isn't moving, either. EDIT: 20 minutes, maybe I do need to hold the button...

Edited by d3m0l1sh3r, 27 November 2009 - 10:07 PM.


#9 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 10:10 PM

I'd appreciate it, if you could please wait until I post back instructions before doing anything to your computer like restarting it. As a reminder all of my posts to you need to be checked by an expert so at times this may cause a delay between posts. I don't want you to think that I am ignoring you. These are just the rules I need to follow.

Thanks,
SweetTech.

#10 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 27 November 2009 - 10:12 PM

I'd appreciate it, if you could please wait until I post back instructions before doing anything to your computer like restarting it. As a reminder all of my posts to you need to be checked by an expert so at times this may cause a delay between posts. I don't want you to think that I am ignoring you. These are just the rules I need to follow.

Thanks,
SweetTech.


I know, and I'm not doing anything.
I apologize. I'm just a little freaked and genetically impatient. I know you are doing your best to help me, and I'm not cooperating..

Edited by d3m0l1sh3r, 27 November 2009 - 10:14 PM.

Advertisement


#11 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 10:36 PM

Please go ahead and force your computer to restart. This can be done by pushing the power button in and holding it until the computer shuts off/restarts.

Once your computer has booted up, the ComboFix log may automatically open on your screen. If it does, the please post that information here. If it does not, please locate the ComboFix log that was produced as follows:
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad


#12 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 27 November 2009 - 10:48 PM

Windows is starting up now.... It didn't kill my computer like it said in the ComboFix warning =D Wait... There's a "combofix" folder on C:\, but no "combofix.txt" =( The folder just contains, it appears, the tools it uses. And just in case, I looked and there's no "combofix.txt" in it, either. Should I try running it again? (I promise not to do anything before you say,) EDIT: Microsoft Security Essentials just popped up an alert saying it detected a threat process and has suspended it. The item is "Virus:Win32/Alureon.D" Alert level "Severe" Reccomendation "Disinfect" (why not remove?) and status "suspended" What do you want me to do with that as well? Microsoft defines it as "a family of data-stealing trojans..." Allthough, it's saying it found it and the location is "C:\Qoobox\Quarantine\C\\Windows\System32\drivers\atapi.sys.vir" So if it was Quarantined by something else, it may not really need removed.

Edited by d3m0l1sh3r, 27 November 2009 - 11:06 PM.


#13 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 11:36 PM

Lets try to run ComboFix again. Before running it please ensure that all of your security programs are disabled. Accept any prompts that ComboFix displays. If CF gives you a rootkit warning please be sure to write down any file names that may appear in the warning. When ComboFix is done running please post the log that is produced afterwords.

#14 d3m0l1sh3r

d3m0l1sh3r

    Authentic Member

  • Authentic Member
  • PipPip
  • 25 posts
  • Interests:Programming, Scripting, Hacking, Network security, Web design, writing, photography, piano, guitar, music, video games.

Posted 28 November 2009 - 04:59 PM

Lets try to run ComboFix again. Before running it please ensure that all of your security programs are disabled. Accept any prompts that ComboFix displays. If CF gives you a rootkit warning please be sure to write down any file names that may appear in the warning. When ComboFix is done running please post the log that is produced afterwords.

I disabled all my anti-virus/spyware/malware programs, and just closed generally most things that weren't important to have running at the time.
I ran ComboFix, and it went through 8-9 stages (something it didn't do on the first run) but then sent me to the BSOD!, I turned it off. I'm afraid to turn it back on.
What do I do now?

I'm not sure if it's the least bit helpful, but by the way, by "Completed Stage 3", windows explorer had been shut down. (Desktop icons gone, along with start button, taskbar, system tray, etc.)

BSOD doesn't actually mean "death" (especially in this case), right? Like it should still boot up relatively the same and just work like it did before, right?

A suggestion that was made to me was to go back to an early system restore point (I don't have many, but there's one back before i began having problems) and then remove the worms and such that were on my computer back then and try to stop the malware before the symptoms started.

Edited by d3m0l1sh3r, 28 November 2009 - 06:30 PM.


#15 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 28 November 2009 - 06:32 PM

Download this TDSSKiller.zip & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller
Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:Posted Image
Double click on fix.bat & allow it to run (you will probably have to press any key to continue)
Logit.txt should open. Post that information here.

Advertisement




Similar Topics: [Resolved] Browser Hijacking/Worms?     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users