ben3045

I'm Infected[INACTIVE]

Recommended Posts

I've got all kinds of weird stuff going on - especially that the PC runs real slow. I subscribe to McAfee and I scan using SUPERAntiSpyware also regularly but it doesn't help. They show that they are deleting Vundo stuff but it just comes back. Here is my HJT log. Help please!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:02:18 AM, on 9/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\dlbtcoms.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O1 - Hosts: 89.149.206.68

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - (no file)

O2 - BHO: (no name) - {b0f361fd-3798-4565-875e-57244bea8e46} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CPMdf5b3d65] Rundll32.exe "c:\windows\system32\reribizu.dll",a

O4 - HKLM\..\Run: [jalarayav] Rundll32.exe "c:\windows\system32\zanoruvu.dll",a

O4 - HKLM\..\Run: [zohehejoho] Rundll32.exe "C:\WINDOWS\system32\nifisofo.dll",s

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [shell] C:\WINDOWS\system\rundll32.exe 70191

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

O4 - HKLM\..\Run: [dc680ef9] rundll32.exe "C:\WINDOWS\system32\kiklhfth.dll",b

O4 - HKLM\..\Run: [bMdf5b3d65] Rundll32.exe "C:\WINDOWS\system32\sxjwtegm.dll",s

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/MONOPOLY%20-%20SpongeBob%20SquarePants%20Edition/Images/stg_drm.ocx

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...402/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: xikcxi.dll C:\WINDOWS\system32\nipavuyo.dll c:\windows\system32\fotehoju.dll c:\windows\system32\reribizu.dll c:\windows\system32\zanoruvu.dll c:\windows\system32\pekinozu.dll c:\windows\system32\vuzofiha.dll c:\windows\system32\kedoniye.dll c:\windows\system32\fijemevi.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - (no file)

O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - (no file)

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reribizu.dll

O21 - SSODL: suyubenaj - {47c976df-74b3-4122-91e9-8601b0db5196} - c:\windows\system32\vuzofiha.dll (file missing)

O22 - SharedTaskScheduler: {5839511e-ec1b-4f91-ace3-fb88e52f5239} - fairydom - (no file)

O22 - SharedTaskScheduler: {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - coursings - (no file)

O22 - SharedTaskScheduler: tokatiluy - {6653fe0a-ca75-4f2a-af6e-a7038bb0e326} - (no file)

O22 - SharedTaskScheduler: gahurihor - {2076e57d-456b-45cd-9bca-8f6cc3c3da64} - (no file)

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\reribizu.dll

O22 - SharedTaskScheduler: kupuhivus - {47c976df-74b3-4122-91e9-8601b0db5196} - c:\windows\system32\vuzofiha.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)

--

End of file - 10936 bytes

Share this post


Link to post
Share on other sites

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....

Please download The Comedian.exe by Rorschach112 to your desktop

  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished

STOP! if you can't complete this step.. Tell me more about it..

NEXT

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

NEXT

Please download RSIT by random/random and save it to your Desktop.

  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.

NEXT

Please download GMER and unzip it to your Desktop. <<mirror>>

Please rename the random filename or GMER into GAMERS

  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results

Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'

2. RSIT log.txt

3. RSIT info.txt

4. Attach GAMERS result..

Share this post


Link to post
Share on other sites

Hi, thanks for the help.

1. In trying to run The_Comedian.exe, I received the following error message "The_Comedian.exe is not a valid WIN32 application."

2. I skipped that step and proceeded through the remaining steps.

3. Three logs are attached. Besttechie would not allow me to upload the log from Gamer so I pasted it below.

GMER 1.0.15.15077 [wcrxuk07.exe] - http://www.gmer.net

Rootkit scan 2009-09-13 13:08:14

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76C787E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76C7BFE]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB07C30B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB064C9AA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB064C958]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB064C96C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB064C9EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB064C930]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB064C944]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB064C9BE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB064C996]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB064C982]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB064CA19]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB064CA00]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB064C9D4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP B064C9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDCD 5 Bytes JMP B064C986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtCreateFile 8056FC78 5 Bytes JMP B064C9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F71 5 Bytes JMP B064CA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtMapViewOfSection 805723EC 7 Bytes JMP B064C9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenProcess 80572D86 5 Bytes JMP B064C934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573135 7 Bytes JMP B064C9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcessEx 80581F0E 7 Bytes JMP B064C970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwTerminateProcess 805847CC 5 Bytes JMP B064CA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenThread 8058C892 2 Bytes JMP B064C948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenThread + 3 8058C895 2 Bytes [0C, 30] {OR AL, 0x30}

PAGE ntoskrnl.exe!ZwCreateProcess 805B0B34 5 Bytes JMP B064C95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetContextThread 8062C4B3 5 Bytes JMP B064C99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[476] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 013E0000

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 013E0075

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 013E0F80

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 013E0F91

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 013E0FA2

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 013E0033

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013E0090

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 013E0F54

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013E00BC

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 013E00AB

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 013E00D7

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 013E004E

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 013E0011

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 013E0F6F

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 013E0022

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 013E0FD1

.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 013E0F2D

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00FF0FD4

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00FF0FB9

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00FF0025

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00FF006C

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00FF0051

.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00FF0036

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FA8

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0033

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FCD

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0022

.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE

.text C:\WINDOWS\system32\services.exe[700] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C4000A

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800F68

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800F83

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800051

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800F9E

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00800FC3

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008000A6

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00800095

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F17

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00800F32

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00800F06

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00800040

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0080000A

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00800078

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0080002F

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800FD4

.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00800F43

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007F001E

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007F0080

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007F0FC3

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007F0FDE

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007F006F

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007F0054

.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007F002F

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0053

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0038

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E000C

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0027

.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FD2

.text C:\WINDOWS\system32\lsass.exe[712] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D000A

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009B0FEF

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009B0F70

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009B006F

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009B005E

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009B0FA1

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009B0039

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009B0F55

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009B009D

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009B00BF

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009B0F30

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009B0F0B

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009B0FB2

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009B0014

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009B0080

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009B0FC3

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009B0FD4

.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009B00AE

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 009A0FC3

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 009A006C

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 009A0FDE

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 009A0014

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 009A005B

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 009A0FEF

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 009A004A

.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 009A0039

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00990044

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00990FB9

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00990029

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00990FEF

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00990FD4

.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00990018

.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00920000

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B40000

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B40086

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B40F91

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B4006B

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B4004E

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B4003D

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B400B2

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B40F6A

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B40F48

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B400D7

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B400F2

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B40FAC

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B40011

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B400A1

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B4002C

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B40FD1

.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B40F59

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00B30047

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00B30FB9

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00B3002C

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00B30011

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00B30FD4

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00B30000

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00B30FE5

.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00B3006C

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B2004C

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20031

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FD2

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B2000C

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FC1

.text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FE3

.text C:\WINDOWS\system32\svchost.exe[936] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B10000

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02450FEF

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02450F47

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02450046

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02450F6E

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02450F7F

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02450FAB

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02450F2C

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02450074

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024500BB

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024500AA

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 024500CC

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02450F90

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02450FDE

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02450057

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02450FBC

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02450FCD

.text C:\WINDOWS\System32\svchost.exe[1028] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0245008F

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02440FB9

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02440040

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02440FD4

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0244000A

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02440F83

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02440FEF

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02440F94

.text C:\WINDOWS\System32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0244001B

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023D0F92

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 023D0027

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023D0FD2

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023D0FEF

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023D0FB7

.text C:\WINDOWS\System32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023D000C

.text C:\WINDOWS\System32\svchost.exe[1028] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 023C0000

.text C:\WINDOWS\System32\svchost.exe[1028] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 023B0000

.text C:\WINDOWS\System32\svchost.exe[1028] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 023B0FE5

.text C:\WINDOWS\System32\svchost.exe[1028] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 023B0FD4

.text C:\WINDOWS\System32\svchost.exe[1028] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 023B0025

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00870FEF

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00870F7E

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00870073

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00870062

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00870FAF

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00870040

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008700BA

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008700A9

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008700D5

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00870F3C

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00870F21

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00870051

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00870FDE

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00870098

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0087001B

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0087000A

.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00870F4D

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00860FA8

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00860025

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00860FC3

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00860FDE

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00860014

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00860FEF

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00860F72

.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00860F8D

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00850F9E

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 00850FB9

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00850018

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00850FEF

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00850033

.text C:\WINDOWS\system32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00850FDE

.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007B0000

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007F0000

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007F0067

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007F0F72

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007F0F83

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007F0F94

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007F0FB9

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007F0F37

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007F0089

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007F00B5

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007F0F1C

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007F00D0

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007F0040

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007F0FDB

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007F0078

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007F0FCA

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007F0011

.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007F009A

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007E0FC3

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007E0043

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007E0FD4

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007E000A

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007E0F86

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007E0F97

.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007E0FB2

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007D002C

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 007D0011

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007D0000

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007D0FE3

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007D0FA1

.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007D0FD2

.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007B0000

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00870000

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00870F7E

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00870F99

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00870073

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00870062

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00870FDB

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00870F46

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0087008E

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00870F10

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008700A9

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00870EFF

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00870FC0

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0087001B

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00870F63

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00870047

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00870036

.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00870F2B

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0086002C

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0086007A

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0086001B

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00860FE5

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00860069

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00860000

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0086004E

.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0086003D

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00850FA6

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00850031

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00850FD2

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00850000

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00850FC1

.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00850FE3

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00ED0FEF

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00ED0F83

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00ED0F9E

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00ED0078

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00ED005B

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00ED0FCA

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00ED00C9

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00ED00AE

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00ED00F5

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00ED0F5C

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00ED0106

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00ED0FB9

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00ED000A

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00ED009D

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00ED0036

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00ED001B

.text C:\WINDOWS\Explorer.EXE[1628] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00ED00DA

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00EB0FCA

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00EB0F83

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00EB0FE5

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00EB0011

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00EB0F9E

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00EB0000

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00EB0FB9

.text C:\WINDOWS\Explorer.EXE[1628] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00EB0040

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0066

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA004B

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FEF

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA003A

.text C:\WINDOWS\Explorer.EXE[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA001D

.text C:\WINDOWS\Explorer.EXE[1628] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00E10FE5

.text C:\WINDOWS\Explorer.EXE[1628] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00E10FD4

.text C:\WINDOWS\Explorer.EXE[1628] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00E1000A

.text C:\WINDOWS\Explorer.EXE[1628] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00E10FC3

.text C:\WINDOWS\Explorer.EXE[1628] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E90000

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009D0FEF

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009D0F7C

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009D0F8D

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009D0F9E

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009D0051

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009D0040

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009D0F4E

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009D0096

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009D00CC

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009D0F3D

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009D00DD

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009D0FAF

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009D0FDE

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009D0F6B

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009D002F

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009D0014

.text C:\WINDOWS\system32\svchost.exe[1708] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009D00BB

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00750025

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00750F72

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00750FD4

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00750014

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00750F83

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00750FEF

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00750F9E

.text C:\WINDOWS\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00750FAF

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740FA1

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740FB2

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00740FDE

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740FEF

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FC3

.text C:\WINDOWS\system32\svchost.exe[1708] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0074000C

.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00720FEF

.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00720014

.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00720FDE

.text C:\WINDOWS\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00720FCD

.text C:\WINDOWS\system32\svchost.exe[1708] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00730000

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250000

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00250075

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00250F80

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250F9B

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250058

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FC0

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00250097

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250086

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00250F08

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00250F23

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00250EE3

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0025003D

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00250011

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00250F65

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0025002C

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00250FDB

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00250F34

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00330FCD

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00330054

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00330FDE

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00330FEF

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00330F97

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0033000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00330039

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00330FB2

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00340070

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!system 77C293C7 5 Bytes JMP 0034005F

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00340FE5

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00340000

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0034003A

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00340029

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00DB0000

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00DB0FE5

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00DB0FD4

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00DB001B

.text C:\Program Files\Internet Explorer\iexplore.exe[2312] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 00FD0FE5

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250FEF

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0025007B

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0025006A

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250F86

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250043

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FB2

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00250F55

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0025009D

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002500D3

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00250F3A

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00250F1F

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00250FA1

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00250FDE

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0025008C

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00250FC3

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00250014

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002500B8

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00330025

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00330FA8

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00330FD4

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0033000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00330FB9

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00330FEF

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0033005B

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00330036

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0034003B

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00340FA6

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00340FC8

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00340FE3

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00340FB7

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00340000

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 01B30000

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 01B30FDB

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 01B30FCA

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 01B30FB9

.text C:\Program Files\Internet Explorer\iexplore.exe[2492] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 01D50FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2492] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat AEF55C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\[email protected] 1

---- EOF - GMER 1.0.15 ----

info.txt

log.txt

mbam_log_2009_09_13__10_21_52_.txt

Share this post


Link to post
Share on other sites

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

------------------------------------------------------------------------------------------------------------------

NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.