redirect virus

[lonnie]

I have a virus that redirects my web browser every time I click on a link. I followed the steps on the "I'm infected" post, and have attached and pasted all of my logs. Thanks for your help!!

malwarebytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4094

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

5/12/2010 5:47:19 PM

mbam-log-2010-05-12 (17-47-19).txt

Scan type: Full scan (C:\|)

Objects scanned: 207256

Time elapsed: 1 hour(s), 30 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ComboFix\Catchme.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\ComboFix\catchme.cfxxe (Trojan.Agent) -> Quarantined and deleted successfully.

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lonnie Hastings at 19:14:38.70 on Wed 05/12/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1307 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Future Point\Starlight\Bin\SLServerRepository.exe

C:\Program Files\Future Point\XEE\Bin\SLXee2ServiceU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\tbh\monitor\bin\tbhMonitor.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

c:\Program Files\tbh\base\bin\tbhDaemon.exe

C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\tp4mon.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Lonnie Hastings\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [TrackPointSrv] tp4mon.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TpShocks] TpShocks.exe

mRun: [TP4EX] tp4ex.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe

mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent

mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe

mRun: [net] "c:\docume~1\lonnie~1\locals~1\temp\msrnoexacw.tmp"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\lonnie~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ACNotify - ACNotify.dll

Notify: igfxcui - igfxdev.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli csspwntfy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lonnie~1\applic~1\mozilla\firefox\profiles\bpgu1pxj.default\

FF - component: c:\documents and settings\lonnie hastings\application data\mozilla\firefox\profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\lonnie hastings\application data\mozilla\firefox\profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\lonnie hastings\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll

FF - plugin: c:\program files\picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-15 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-15 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-11-15 144704]

R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]

R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]

R2 StarlightService;Starlight Server;c:\program files\future point\starlight\bin\SLServerRepository.exe [2009-5-8 811008]

R2 StarlightXEEService;Starlight XEE Service;c:\program files\future point\xee\bin\SLXee2ServiceU.exe [2009-5-8 122880]

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-15 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-15 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-15 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-15 40552]

S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ancsq.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-5-12 256512]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-15 34248]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-1-26 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-26 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-1-26 23680]

S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2007-11-18 31512]

S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13840]

=============== Created Last 30 ================

2010-05-13 02:12:13 0 ----a-w- c:\documents and settings\lonnie hastings\defogger_reenable

2010-05-12 20:49:54 18845 ----a-w- c:\documents and settings\lonnie hastings\.recently-used.xbel

2010-05-12 20:00:19 77312 ----a-w- c:\windows\MBR.exe

2010-05-12 20:00:03 0 d-s---w- C:\ComboFix

2010-05-11 15:17:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-11 15:10:43 0 d-----w- c:\program files\Bonjour

2010-05-02 15:43:01 0 d-----w- c:\docume~1\lonnie~1\applic~1\1F930E4D7330697CD6E6FD6F88246F18

2010-04-22 15:10:15 0 d-----w- c:\windows\hpojp8500a909

2010-04-22 15:09:36 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-04-22 15:09:35 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-04-22 15:09:01 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-04-22 15:09:01 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-04-22 15:09:01 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-04-22 15:09:01 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-04-22 15:09:00 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-04-22 15:08:57 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-04-22 15:08:57 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys

2010-04-22 14:43:45 131434 ----a-w- c:\windows\hpwins22.dat

2010-04-22 14:43:45 1075 ------w- c:\windows\hpwmdl22.dat

==================== Find3M ====================

2010-05-09 15:06:24 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-05-02 15:43:21 56766 ----a-w- c:\windows\system32\ctfmon.exe

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-16 15:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 08:02:04 417792 ------w- c:\windows\system32\dllcache\vbscript.dll

2010-03-10 04:57:43 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

2010-03-10 04:57:36 1024000 ------w- c:\windows\system32\dllcache\browseui.dll

2010-02-26 19:35:08 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll

2010-02-25 11:17:33 18432 ------w- c:\windows\system32\dllcache\iedw.exe

2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-17 18:57:54 2063744 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 17:37:57 2186880 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 17:35:40 2143744 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 17:35:40 2143744 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 16:57:54 2021888 ------w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 16:57:54 2021888 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll

2006-10-04 18:42:48 774144 ------w- c:\program files\RngInterstitial.dll

============= FINISH: 19:15:46.07 ===============

attach.zip

[kahdah]

Hi lonnie welcome to malwarebytes.

I see you have previously ran Combofix

Please delete the version you have and do the following.

=============

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[lonnie]

Hi,

Thank you for you help! I just downloaded and tried to run combofix, but as soon as it said it was starting to scan for infected files my computer crashed and a blue error screen showed up with a BAD_POOL_ERROR...

[lonnie]

sorry, it was actually a BAD_POOL_CALLER error....

[lonnie]

i restarted my computer and was able to get combofix to run

here is the log:

ComboFix 10-05-12.04 - Lonnie Hastings 05/13/2010 8:22.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1370 [GMT -7:00]

Running from: c:\documents and settings\Lonnie Hastings\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Lonnie Hastings\g2mdlhlpx.exe

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

c:\windows\system32\ctfmon .exe

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))

.

2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime

2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour

2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18

2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw

2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909

2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll

2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys

2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat

2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes

2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod

2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple

2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-09 15:06 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype

2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM

2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0

2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-02 15:43 . 1980-01-01 07:00 56766 ----a-w- c:\windows\system32\ctfmon.exe

2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee

2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2

2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google

2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll

2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe

2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll

.

<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe
</pre>

------- Sigcheck -------

[-] 2010-05-02 15:43 . 1031269290532736167AC627775E8435 . 56766 . . [------] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe

[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [N/A]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]

"TpShocks"="TpShocks.exe" [2005-11-07 106496]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]

"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496]

"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]

"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]

"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-13 492840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=

"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320]

R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968]

R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008]

R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880]

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]

S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680]

S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512]

S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2010-05-13 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\

FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Notify-ACNotify - ACNotify.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-13 08:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A86CEE4]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9ede7b4

\Driver\iaStor -> iaStor.sys @ 0xb9e14b58

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684

NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d14ba0

PacketIndicateHandler -> NDIS.sys @ 0xb9d21b21

SendHandler -> NDIS.sys @ 0xb9cff87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(4328)

c:\windows\system32\PROCHLP.DLL

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\IPSSVC.EXE

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\TPHDEXLG.EXE

c:\windows\system32\TpKmpSVC.exe

c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe

c:\program files\tbh\base\bin\tbhDaemon.exe

c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe

c:\windows\system32\tp4mon.exe

c:\windows\system32\TpShocks.exe

c:\windows\system32\rundll32.exe

c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\IBM ThinkVantage\Client Security Solution\pwmgr.exe

.

**************************************************************************

.

Completion time: 2010-05-13 08:44:58 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-13 15:44

ComboFix2.txt 2009-09-22 16:10

Pre-Run: 21,563,224,064 bytes free

Post-Run: 21,548,728,320 bytes free

- - End Of File - - 6836528715548B9E9A5BD29F3F5FAF5F

[kahdah]

Download the following GMER Rootkit Scanner from Here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
• Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
• It may take a minute to load and become available.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  

  
  

• IAT/EAT
  
  
• Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  
  
• Show All (don't miss this one)

  
  

• Then click the Scan button & wait for it to finish.
  
• Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop
  
• **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  
• Click OK and quit the GMER program.
  
• Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  
• Post that log in your next reply.
  

[lonnie]

here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-13 14:33:29

Windows 5.1.2600 Service Pack 2

Running: foe5824e.exe; Driver: C:\DOCUME~1\LONNIE~1\LOCALS~1\Temp\agtdapob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9FE7478A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9FE74821]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9FE74738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x9FE7474C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9FE74835]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9FE74861]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0x9FE748CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0x9FE748B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9FE747CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x9FE748FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9FE7480D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x9FE74710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x9FE74724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9FE7479E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0x9FE74937]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0x9FE748A3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0x9FE7488D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9FE7484B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x9FE74923]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x9FE7490F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x9FE74776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x9FE74762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9FE74877]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9FE747F9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0x9FE748E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9FE747E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9FE747B4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504ABC 7 Bytes JMP 9FE747B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80577F76 5 Bytes JMP 9FE7478E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E3E 7 Bytes JMP 9FE747CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C4C 5 Bytes JMP 9FE747E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7222 7 Bytes JMP 9FE747A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP 9FE74714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP 9FE74728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBAA 5 Bytes JMP 9FE74766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP 9FE74750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF4C 5 Bytes JMP 9FE7473C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D0456 5 Bytes JMP 9FE7477A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP 9FE747FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 80620664 7 Bytes JMP 9FE74891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 806209B2 5 Bytes JMP 9FE74913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80620C6A 7 Bytes JMP 9FE7487B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80620F32 7 Bytes JMP 9FE748E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062178C 7 Bytes JMP 9FE748A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP 9FE7484F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806225BE 5 Bytes JMP 9FE74825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP 9FE74839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP 9FE74865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80622E0A 7 Bytes JMP 9FE748D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623074 7 Bytes JMP 9FE748BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP 9FE74811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80623CA0 7 Bytes JMP 9FE7493B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 806241C6 5 Bytes JMP 9FE74927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806242E0 5 Bytes JMP 9FE748FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[156] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0000

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F0087

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F006C

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F0F92

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0FAF

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F003D

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F00BD

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F00AC

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F00E2

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F0F49

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009F0F38

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009F0FC0

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009F0FE5

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009F0F81

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009F002C

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009F001B

.text C:\WINDOWS\system32\svchost.exe[204] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009F0F64

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0FD4

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E0F94

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FEF

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0025

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 009E005B

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 009E000A

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 009E0040

.text C:\WINDOWS\system32\svchost.exe[204] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 009E0FC3

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0067

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D004C

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FE3

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D000C

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FD2

.text C:\WINDOWS\system32\svchost.exe[204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D

.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 009C0FE5

.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 009C0000

.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 009C001B

.text C:\WINDOWS\system32\svchost.exe[204] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 009C002C

.text C:\WINDOWS\system32\svchost.exe[204] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007E0000

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 013C0FEF

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 013C0F4B

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 013C0036

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 013C0F68

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 013C0F79

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 013C0025

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013C0F2E

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 013C0076

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013C0091

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 013C0EF8

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 013C00AC

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 013C0F9E

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 013C0000

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 013C005B

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 013C0FB9

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 013C0FD4

.text C:\WINDOWS\system32\svchost.exe[348] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 013C0F1D

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013B0FCA

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013B005B

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013B001B

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013B0000

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 013B0F9E

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 013B0FEF

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 013B0FAF

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [5B, 89]

.text C:\WINDOWS\system32\svchost.exe[348] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 013B002C

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013A0F97

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!system 77C293C7 5 Bytes JMP 013A0FB2

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013A0FDE

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013A000C

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013A0FCD

.text C:\WINDOWS\system32\svchost.exe[348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013A0FEF

.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 01390FE5

.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 01390000

.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 01390FC8

.text C:\WINDOWS\system32\svchost.exe[348] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 01390FB7

.text C:\WINDOWS\system32\svchost.exe[348] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DA000A

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00920000

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920F72

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00920F8D

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00920F9E

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00920051

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920FC0

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009200A4

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00920093

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F1F

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00920F3A

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009200D3

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00920FAF

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00920011

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00920082

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00920FD1

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00920022

.text C:\WINDOWS\System32\svchost.exe[676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00920F4B

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00910FC0

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910F5E

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0091001B

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FEF

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00910F6F

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00910000

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00910F94

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [b1, 88] {MOV CL, 0x88}

.text C:\WINDOWS\System32\svchost.exe[676] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00910FA5

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00900F90

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900FAB

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900FC6

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900000

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900011

.text C:\WINDOWS\System32\svchost.exe[676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00900FD7

.text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E000A

.text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E0FDE

.text C:\WINDOWS\System32\svchost.exe[676] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0FCD

.text C:\WINDOWS\System32\svchost.exe[676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C000A

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00920000

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920090

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00920075

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00920F9B

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00920058

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920FC7

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00920F6A

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009200B2

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F3E

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009200D7

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00920F2D

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00920FAC

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00920011

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009200A1

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00920033

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00920022

.text C:\WINDOWS\System32\svchost.exe[680] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00920F59

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00910FC0

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910F72

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0091001B

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FE5

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00910F83

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00910000

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00910F94

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [b1, 88] {MOV CL, 0x88}

.text C:\WINDOWS\System32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00910FAF

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0090005F

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900044

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900029

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900FEF

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900FD4

.text C:\WINDOWS\System32\svchost.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0090000C

.text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0000

.text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E0027

.text C:\WINDOWS\System32\svchost.exe[680] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0038

.text C:\WINDOWS\System32\svchost.exe[680] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F63

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0058

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0047

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0F8A

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FB6

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0069

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F21

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0EF2

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF008B

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FF0EE1

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FF0FA5

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FF0011

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FF0F48

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FF0022

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FF0FDB

.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FF007A

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FC0

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80051

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8001B

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8000A

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B80F94

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B80FEF

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00B80FAF

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [D8, 88]

.text C:\WINDOWS\system32\services.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B8002C

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70049

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70038

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FC8

.text C:\WINDOWS\system32\services.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FE3

.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00B60FE5

.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00B60000

.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00B6001B

.text C:\WINDOWS\system32\services.exe[1008] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00B6002C

.text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006F0000

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0FE5

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F6B

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0F7C

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0F8D

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0040

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FA8

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0087

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F3F

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0F09

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF0F24

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FF0EF8

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FF002F

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FF0FD4

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FF0F50

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FF001E

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FF0FC3

.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FF0098

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FAF

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40062

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40000

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E40047

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E40FE5

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00E4002C

.text C:\WINDOWS\system32\lsass.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E4001B

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3004E

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FC3

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30022

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3003D

.text C:\WINDOWS\system32\lsass.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE

.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E10FEF

.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00E20FEF

.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00E20000

.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00E20FD4

.text C:\WINDOWS\system32\lsass.exe[1020] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00E2001B

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EA0000

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EA00A2

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EA0091

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EA0076

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EA0FB9

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EA0FE5

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EA0F77

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EA00BF

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EA0F4B

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EA0F5C

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00EA0F30

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00EA0FCA

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00EA001B

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00EA0F88

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00EA0047

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00EA0036

.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00EA00DA

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E90FD1

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90062

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90022

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90011

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00E90FA5

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00E90000

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00E90FB6

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [09, 89]

.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00E9003D

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80FDE

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E8005F

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80044

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E8000C

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FEF

.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80029

.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00E70FEF

.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00E7000A

.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00E70025

.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00E70042

.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E00000

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20FE5

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C2009D

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C20082

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C20071

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C20FB2

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C20FD4

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20F83

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C200C9

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C2010B

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C200F0

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C20F4D

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C20FC3

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C2000A

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C200AE

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C20040

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C2001B

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C20F72

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FB2

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10040

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FC3

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FDE

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00C1002F

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00C10FEF

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00C10F8D

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00C1001E

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00031

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00F9C

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C0000C

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FE3

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FB7

.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FD2

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00BF0FD4

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00BF0FEF

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00BF000A

.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00BF001B

.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BE000A

.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A

.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A

.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03540FEF

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0354006E

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03540F79

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03540053

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03540F8A

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03540FA5

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03540F32

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03540F43

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 035400A6

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03540F17

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 035400B7

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0354002C

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 03540000

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 03540F54

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 03540FC0

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 03540011

.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0354008B

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03530FDB

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03530F8D

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03530036

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0353001B

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 03530F9E

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 03530000

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 03530FAF

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [73, 8B] {JAE 0xffffffffffffff8d}

.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 03530FCA

.text C:\WINDOWS\System32\svchost.exe[1320] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00B0000A

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03520F86

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 03520011

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03520FC6

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03520000

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03520FA1

.text C:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03520FE3

.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 03510FEF

.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 03510000

.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 03510FDE

.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 03510031

.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 03500FE5

.text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B1000A

.text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A

.text C:\WINDOWS\Explorer.EXE[1588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B0000C

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01AA0000

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01AA009D

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01AA0FA8

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01AA0FB9

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01AA0FCA

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01AA0051

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01AA0F72

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01AA00AE

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01AA0F46

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01AA00D5

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01AA0F2B

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01AA006C

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01AA0FEF

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01AA0F83

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01AA0036

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01AA0025

.text C:\WINDOWS\Explorer.EXE[1588] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01AA0F57

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A90FC3

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A9005E

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A90014

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A90FDE

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 01A90FA1

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 01A90FEF

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 01A90039

.text C:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 01A90FB2

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A80F97

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A80FB2

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A80FDE

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A80000

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A80FCD

.text C:\WINDOWS\Explorer.EXE[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A80FEF

.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenW 771BAF6D 3 Bytes JMP 01A7000A

.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenW + 4 771BAF71 1 Byte [8A]

.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 01A70FEF

.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 01A70FDE

.text C:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 01A7002F

.text C:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01A60FEF

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BA000A

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BA0F97

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BA0FA8

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BA0FB9

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BA006C

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BA0FCA

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BA00C2

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BA00B1

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA0109

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA00EE

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00BA0124

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00BA0051

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00BA0025

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00BA0F86

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00BA0FE5

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00BA0036

.text C:\WINDOWS\system32\svchost.exe[1676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00BA00D3

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FCD

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90079

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90014

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FDE

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B9005E

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B90FEF

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00B90FB2

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [D9, 88]

.text C:\WINDOWS\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B90039

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80036

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80025

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FC6

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FE3

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FB5

.text C:\WINDOWS\system32\svchost.exe[1676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80000

.text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 007E0FE5

.text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 007E0000

.text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 007E001B

.text C:\WINDOWS\system32\svchost.exe[1676] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 007E0036

.text C:\WINDOWS\system32\svchost.exe[1676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001C0000

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00950000

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00950076

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00950065

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00950F97

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0095004A

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00950FB9

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00950F38

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00950F49

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009500AF

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00950F0C

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009500CA

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00950FA8

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00950011

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00950F66

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00950FCA

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00950FDB

.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00950F1D

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0094002C

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0094005F

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00940011

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00940000

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0094004E

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00940FEF

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 0094003D

.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00940FC0

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0038

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FB7

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FE3

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC8

.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E001D

.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 001C000A

.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 001C0FC8

.text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 001C0FB7

.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001B0FE5

.text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0084000A

.text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0085000A

.text C:\WINDOWS\system32\wuauclt.exe[2084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0083000C

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0261000A

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02610F70

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02610F81

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02610F9C

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02610065

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02610040

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026100B1

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02610F5F

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 026100CC

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02610F33

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 026100DD

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02610FB9

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02610025

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02610080

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02610FD4

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02610FEF

.text C:\WINDOWS\system32\wuauclt.exe[2084] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02610F44

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025F0FCD

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!system 77C293C7 5 Bytes JMP 025F0058

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025F0033

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025F0000

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025F0FDE

.text C:\WINDOWS\system32\wuauclt.exe[2084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025F0FEF

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0260002C

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0260006C

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02600011

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02600000

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 02600FA5

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 02600FE5

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 02600047

.text C:\WINDOWS\system32\wuauclt.exe[2084] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 02600FB6

.text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 025E0FD4

.text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 025E0FE5

.text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 025E0FB7

.text C:\WINDOWS\system32\wuauclt.exe[2084] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 025E000A

.text C:\WINDOWS\system32\wuauclt.exe[2084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 025D0000

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B3000A

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B30F9B

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B30FAC

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B30086

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B30FC7

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B30058

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B300A1

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B30F59

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B30F34

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B300CD

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B300E8

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B30069

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B3001B

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B30F76

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B30047

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B30036

.text C:\WINDOWS\system32\svchost.exe[2496] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B300BC

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FCA

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B20F94

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B2001B

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20000

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B20FAF

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B20FE5

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00B20051

.text C:\WINDOWS\system32\svchost.exe[2496] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B20040

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B10FC7

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B1005C

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B1003A

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B10000

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B1004B

.text C:\WINDOWS\system32\svchost.exe[2496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B1001D

.text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00B0000A

.text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00B00FEF

.text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00B00FD4

.text C:\WINDOWS\system32\svchost.exe[2496] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00B00027

.text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB000A

.text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B1000A

.text C:\WINDOWS\system32\wuauclt.exe[4460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AA000C

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0011

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0F86

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0000

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FE3

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FAB

.text C:\WINDOWS\system32\wuauclt.exe[4460] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FD2

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0025

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F9E

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FD4

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FE5

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002D0FAF

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002D0000

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 002D005B

.text C:\WINDOWS\system32\wuauclt.exe[4460] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002D0040

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8A64DEE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[kahdah]

1. Please open Notepad

• Click Start , then Run
  
• type in notepad in the Run Box then hit ok.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

RenV::
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe

Fcopy::
c:\windows\ERDNT\cache\ctfmon.exe|c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
c:\windows\ERDNT\cache\ctfmon.exe|c:\windows\system32\ctfmon.exe

TDL::
C:\WINDOWS\system32\drivers\pciide.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

• Combofix.txt
  

[lonnie]

I am getting the same blue screen error that I experienced before....

after combofix starts and says it is scanning for infected files, my computer crashes and the error screen says BAD_POOL_CALLER

I tried to restart and run it again, but it happens every time... i went through the cycle 5-6 times with no luck.

[kahdah]

Ok we will go about it a different way.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :Filefind
  pciide.*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[lonnie]

here are the systemlook results:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 10:51 on 14/05/2010 by Lonnie Hastings (Administrator - Elevation successful)

========== Filefind ==========

Searching for "pciide.*"

C:\cmdcons\PCIIDE.SY_ --a--- 1695 bytes [20:51 17/08/2001] [20:51 17/08/2001] DD70748EDC4DB912A6603D87760EE322

C:\I386\PCIIDE.SY_ ------ 1695 bytes [12:00 04/08/2004] [12:00 04/08/2004] DD70748EDC4DB912A6603D87760EE322

C:\WINDOWS\system32\drivers\pciide.sys ------ 3328 bytes [19:02 09/08/2004] [20:51 17/08/2001] CCF5F451BB1A5A2A522A76E670000FF0

-=End Of File=-

[kahdah]

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

ren c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe ctfmon.vir
ren c:\windows\system32\ctfmon.exe ctfmon.vir
ren C:\WINDOWS\system32\drivers\pciide.sys pciide.vir
expand C:\I386\PCIIDE.SY_ C:\WINDOWS\system32\drivers\

Save this to the C:\Drive and name it fix.txt

Once that is done please reboot the computer and when the computer boots this time when yoiu are presented with the option to choose what you want to boot into choose the recovery console instead of Windows.

Once in the Recovery Console select the installation that you want to access from the Recovery Console...by number (usually 1)

When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".

At the Recovery Console command prompt, type batch C:\fix.txt C:\Results.txt then hit enter you will see a few lines go by very quickly.

Once that has completed type in exit.

Your computer will then restart.

Once windows reboots again post the contents of a new gmer log and the C:\Results.txt file please.

[lonnie]

Hi!

I copied and saved the fix.txt file, but when I tried to boot into the recovery console, I got a blue error screen with stop code 0x00000007B. It said to check my computer for viruses and to run chkdsk /f to check my harddrive for corruptions. I did this and then tried again to start the recovery console but got the same error message.

thankyou!!!

[kahdah]

Hi it is because you have a sata setting in the bios what is the make and model of the computer?

[lonnie]

IBM thinkpad x60

[kahdah]

Ok I need you to boo into the bios to change the hard drive configuration so we can access the hard drive from the Recovery Console.

Visitthis link to see how to enter the bis http://www-307.ibm.com/pc/support/site.wss...cid=YAST-3JWKJX

I don't see your particular model number listed there but I think that it is pretty much the same over the broad spectrum of models.

Once into the bios navigate to the Integrated Periphrials section.

What we are looking for is a setting that will turn off sata and switch it to IDE.

This may be present as a setting called Sata Mode if it is then navigate to it and see if you can change it.

It may also be under a setting called Hard drive Configuration once you find this setting change it to IDE instead of Sata then you can usually hit the F10 key to save the changes and restart again into the recovery console and follow my previous instructions.

But after exiting the Recovery Console you must switch it back to Sata mode in the bios or you will reach a blue screen.

Let me know if you get stuck and let me know how it works out.

If you are unsure of something stop and ask.

[lonnie]

Hi,

I changed the SATA setting and then started the Recovery console and followed your directions, here is the Results.txt file :

-----------------------------------------------------------------

The system cannot find the file or directory specified.

A directory or file with the name ctfmon.vir already exists.

A directory or file with the name pciide.vir already exists.

Overwrite pciide.sys? (Yes/No/All/Quit): 0 file(s) expanded.

-----------------------------------------------------------------

Is there something I did wrong? In the recovery console, I typed batch C:\fix.txt C:\Results, and this is what my fix.txt file looks like...

----------------------

ren c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe ctfmon.vir

ren c:\windows\system32\ctfmon.exe ctfmon.vir

ren C:\WINDOWS\system32\drivers\pciide.sys pciide.vir

expand C:\I386\PCIIDE.SY_ C:\WINDOWS\system32\drivers\

--------------------------------------------------------------------------

is there something else I should do at this point or should I go ahead with another GMER scan?

Thankyou for all your help!!

[kahdah]

Try to run gmer once more please maybe combofix fixed it but couldn't finish.

[lonnie]

here is the latest GMER log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-16 08:37:52

Windows 5.1.2600 Service Pack 2

Running: foe5824e.exe; Driver: C:\DOCUME~1\LONNIE~1\LOCALS~1\Temp\agtdapob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA792278A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA7922821]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7922738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA792274C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA7922835]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA7922861]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA79228CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA79228B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA79227CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA79228FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA792280D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA7922710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA7922724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA792279E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA7922937]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA79228A3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA792288D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA792284B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA7922923]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA792290F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA7922776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA7922762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA7922877]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA79227F9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA79228E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA79227E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA79227B4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504ABC 7 Bytes JMP A79227B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80577F76 5 Bytes JMP A792278E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E3E 7 Bytes JMP A79227CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C4C 5 Bytes JMP A79227E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7222 7 Bytes JMP A79227A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP A7922714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP A7922728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBAA 5 Bytes JMP A7922766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP A7922750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF4C 5 Bytes JMP A792273C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D0456 5 Bytes JMP A792277A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP A79227FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 80620664 7 Bytes JMP A7922891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 806209B2 5 Bytes JMP A7922913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80620C6A 7 Bytes JMP A792287B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80620F32 7 Bytes JMP A79228E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062178C 7 Bytes JMP A79228A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP A792284F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806225BE 5 Bytes JMP A7922825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP A7922839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP A7922865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80622E0A 7 Bytes JMP A79228D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80623074 7 Bytes JMP A79228BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP A7922811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80623CA0 7 Bytes JMP A792293B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 806241C6 5 Bytes JMP A7922927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806242E0 5 Bytes JMP A79228FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01300FE5

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01300F41

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01300F52

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0130002C

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01300F79

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01300F94

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01300073

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01300062

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01300EEE

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01300EFF

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01300EDD

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0130001B

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01300FCA

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01300051

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01300000

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01300FB9

.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01300F1A

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012F0036

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012F0062

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012F0025

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012F0FE5

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 012F0FA5

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 012F0000

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 012F0047

.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 012F0FC0

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012E003D

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!system 77C293C7 5 Bytes JMP 012E0022

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012E0000

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012E0FE3

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012E0011

.text C:\WINDOWS\system32\svchost.exe[416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012E0FD2

.text C:\WINDOWS\system32\svchost.exe[416] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 012D0FD4

.text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 012D0FEF

.text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 012D0FAD

.text C:\WINDOWS\system32\svchost.exe[416] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 012D0F9C

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[756] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[756] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FEF

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070080

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F8B

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070065

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070054

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0007002F

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F38

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F49

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F02

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0007009B

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00070EF1

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00070FB2

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0007000A

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070F66

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070FC3

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070FD4

.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F1D

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060025

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD4

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006000A

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0006004A

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00060FEF

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00060FA8

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [26, 88]

.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00060FB9

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050040

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FAB

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC6

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005001B

.text C:\WINDOWS\system32\services.exe[1000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000

.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01110000

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01110F80

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01110075

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01110F9B

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01110FB6

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01110047

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01110F48

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01110F65

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01110F08

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01110F19

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 011100B2

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01110058

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0111001B

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01110086

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01110FDB

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeA 7C85FE94 3 Bytes JMP 0111002C

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!CreateNamedPipeA + 4 7C85FE98 1 Byte [84]

.text C:\WINDOWS\system32\lsass.exe[1024] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 011100A1

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FC3

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0054

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDE

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0014

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00FF0F97

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00FF0FB2

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [1F, 89]

.text C:\WINDOWS\system32\lsass.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00FF0039

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0042

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FB7

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FD2

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE001D

.text C:\WINDOWS\system32\lsass.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE000C

.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FD0000

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0000

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F72

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C0F83

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C0F94

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008C0051

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008C0FAF

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C009F

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C008E

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C00C4

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C0F35

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008C00D5

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008C0036

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008C001B

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008C0F61

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008C0FC0

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008C0FDB

.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008C0F46

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B002F

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0065

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FD4

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0000

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 008B0FA8

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 008B0FEF

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 008B0FC3

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [AB, 88]

.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 008B004A

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0FB9

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0FD4

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0029

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0000

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0044

.text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FEF

.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890FEF

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30FEF

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A3007F

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A3006E

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30F94

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30FA5

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30FB6

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A300B0

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A30F68

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A300CB

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F32

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A300DC

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A30047

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A30000

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A30F79

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A30022

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A30011

.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A30F4D

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20022

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F6F

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20FD1

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20011

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A20F8A

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A20000

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A20F9B

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C2, 88]

.text C:\WINDOWS\system32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A20FB6

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10069

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10044

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FEF

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FDE

.text C:\WINDOWS\system32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A1001D

.text C:\WINDOWS\system32\svchost.exe[1288] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A00FE5

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03190000

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03190F76

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03190075

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03190064

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03190047

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03190036

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03190F4F

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03190097

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 031900CD

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 031900BC

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 03190F0F

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 03190FA5

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0319001B

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 03190086

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 03190FCA

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 03190FE5

.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 03190F3E

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0318000A

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0318005B

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03180FC3

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03180FDE

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 03180040

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 03180FEF

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 03180F9E

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [38, 8B]

.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 03180025

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0317000A

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 03170F7F

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03170FB5

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03170FE3

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03170F9A

.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03170FD2

.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 03150FEF

.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 03160FD4

.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 03160FE5

.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 03160FC3

.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 03160FB2

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B000A

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0056

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F61

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0F72

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B002F

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FB2

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0078

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0067

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00BF

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00AE

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0F01

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0F97

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FEF

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0F46

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FCD

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0FDE

.text C:\WINDOWS\system32\wuauclt.exe[1440] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B0093

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F92

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FA3

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029000C

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029001D

.text C:\WINDOWS\system32\wuauclt.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FD2

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F94

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FEF

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002A0051

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002A0000

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 002A0FAF

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [4A, 88]

.text C:\WINDOWS\system32\wuauclt.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002A0036

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A4000A

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A40F77

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A40076

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A40F9C

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A40065

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A40FC3

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A40098

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A40F50

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A40F35

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A400D8

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A400F3

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A40054

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A40FE5

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A40087

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A4002F

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A40FD4

.text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A400BD

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30033

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 1 Byte [E9]

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30070

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30022

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30011

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A3005F

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A30000

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A30FBD

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C3, 88]

.text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A3004E

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20F7F

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20000

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FAB

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FEF

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20F90

.text C:\WINDOWS\system32\svchost.exe[1564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FC6

.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10FEF

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A8000A

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A8009A

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80089

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80078

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80FAF

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80FCA

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A800BC

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A80F74

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F3E

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A800D7

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A80F19

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A80051

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A80025

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A800AB

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A80FEF

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A80036

.text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A80F59

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7002C

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70F97

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A7001B

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FE5

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00A70FA8

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00A70000

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00A70FB9

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [C7, 88]

.text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00A70FCA

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A6005D

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60042

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6000C

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60027

.text C:\WINDOWS\system32\svchost.exe[1604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FD2

.text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800078

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800067

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800F83

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800040

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0080002F

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00800F5E

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0080009A

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008000E3

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000D2

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008000F4

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00800FA8

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00800FDE

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00800089

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00800014

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800FC3

.text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008000B7

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F001B

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F8A

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FC0

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FDB

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 007F0FAF

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 007F0000

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 007F0047

.text C:\WINDOWS\System32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 007F0036

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E003D

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E002C

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0011

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FE3

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC6

.text C:\WINDOWS\System32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0000

.text C:\WINDOWS\System32\svchost.exe[1864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FE5

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0000

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F007C

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F0F87

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F0FA2

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F005F

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F003D

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F0F59

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F0F76

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00D7

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F0F34

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008F0F19

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008F004E

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008F001B

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008F00A1

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008F002C

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008F0FE5

.text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008F00BC

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0022

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E004E

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FDB

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0011

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 008E0033

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 008E0000

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 008E0F9B

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [AE, 88]

.text C:\WINDOWS\system32\svchost.exe[2044] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 008E0FB6

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D002E

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0FAD

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FD2

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0FEF

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D001D

.text C:\WINDOWS\system32\svchost.exe[2044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D000C

.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 008C0FD4

.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 008C0FEF

.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 008C0FC3

.text C:\WINDOWS\system32\svchost.exe[2044] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 008C0016

.text C:\WINDOWS\system32\svchost.exe[2044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008B000A

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FEF

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800F4D

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800F68

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800042

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800F83

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0080000A

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0080007A

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0080005D

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F03

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000A6

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008000B7

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00800025

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00800FD4

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00800F32

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00800FA8

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00800FC3

.text C:\WINDOWS\System32\svchost.exe[2136] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0080008B

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FE5

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F6F

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0036

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F001B

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 007F0F94

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 007F000A

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 007F0FAF

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [9F, 88]

.text C:\WINDOWS\System32\svchost.exe[2136] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 007F0FCA

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FB7

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0042

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E001D

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E000C

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FC8

.text C:\WINDOWS\System32\svchost.exe[2136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FE3

.text C:\WINDOWS\System32\svchost.exe[2136] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0000

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B90000

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B90F8A

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B90F9B

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B90073

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B90062

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B90FC0

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B900AB

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EEE 3 Bytes JMP 00B9009A

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA + 4 7C801EF2 1 Byte [84]

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B900CD

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B90F34

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B90F23

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B90051

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B9001B

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B90F79

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B90FDB

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B90036

.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B900BC

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80036

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B8007D

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FEF

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80025

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00B80FC0

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00B8000A

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 00B80062

.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00B80051

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B7005A

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FD9

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B7003F

.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70011

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D60000

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D60F54

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D60049

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D60F6F

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D60F80

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D60FB6

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D60F28

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D60F43

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D600B7

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D600A6

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D600C8

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D60F9B

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D60011

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D6006E

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D60FDB

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D6002C

.text C:\WINDOWS\Explorer.EXE[3092] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D6008B

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FAF

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F4D

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FCA

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FEF

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00D50F5E

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00D50000

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00D50F79

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [F5, 88]

.text C:\WINDOWS\Explorer.EXE[3092] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00D50F94

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FE5

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0000

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0044

.text C:\WINDOWS\Explorer.EXE[3092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0029

.text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00CC0FD4

.text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 00CC0FEF

.text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00CC0016

.text C:\WINDOWS\Explorer.EXE[3092] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00CC0FC3

.text C:\WINDOWS\Explorer.EXE[3092] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CB0000

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02580000

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02580F57

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0258004C

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02580F72

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02580F83

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0258002F

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0258009F

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0258008E

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02580F10

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02580F21

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02580EFF

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02580FA8

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02580FE5

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02580071

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02580FC3

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02580FD4

.text C:\WINDOWS\system32\wuauclt.exe[3156] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02580F3C

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02560FB7

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!system 77C293C7 5 Bytes JMP 02560042

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0256001D

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02560FEF

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02560FD2

.text C:\WINDOWS\system32\wuauclt.exe[3156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0256000C

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02570036

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02570F9B

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02570025

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02570000

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 02570062

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 02570FE5

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 02570FC0

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [77, 8A] {JA 0xffffffffffffff8c}

.text C:\WINDOWS\system32\wuauclt.exe[3156] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 02570047

.text C:\WINDOWS\system32\wuauclt.exe[3156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02550FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

[kahdah]

Great now the rootkit is gone please delete your version of Combofix and redownload it and run it.

Post the log when it get's done it should complete this time.

[lonnie]

here is the combofix log:

ComboFix 10-05-15.03 - Lonnie Hastings 05/16/2010 9:13.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1398 [GMT -7:00]

Running from: c:\documents and settings\Lonnie Hastings\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Tableau

2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe

2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime

2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour

2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18

2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw

2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909

2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll

2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys

2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat

2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-16 12:07 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes

2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod

2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple

2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype

2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM

2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0

2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee

2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2

2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google

2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll

2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe

2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll

.

<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [N/A]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]

"TpShocks"="TpShocks.exe" [2005-11-07 106496]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]

"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496]

"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]

"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]

"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-16 492840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=

"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320]

R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968]

R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008]

R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880]

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]

S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680]

S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512]

S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2010-05-16 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\

FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-16 09:20

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(3168)

c:\windows\system32\PROCHLP.DLL

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-16 09:23:13

ComboFix-quarantined-files.txt 2010-05-16 16:22

ComboFix2.txt 2010-05-13 15:45

ComboFix3.txt 2009-09-22 16:10

Pre-Run: 21,269,475,328 bytes free

Post-Run: 21,367,447,552 bytes free

- - End Of File - - DC0E0BCABECF2A6DB3C40524F7FFE3AD

[kahdah]

1. Please open Notepad

• Click Start , then Run
  
• type in notepad in the Run Box then hit ok.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

• Combofix.txt
  

[lonnie]

here's the new combofix log:

ComboFix 10-05-15.03 - Lonnie Hastings 05/16/2010 9:41.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1362 [GMT -7:00]

Running from: c:\documents and settings\Lonnie Hastings\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Lonnie Hastings\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-05-14 19:01 . 2010-05-14 19:01 -------- d-----w- c:\program files\Tableau

2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe

2010-05-14 17:50 . 2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

2010-05-12 05:15 . 2010-05-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-11 15:17 . 2010-05-11 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-11 15:13 . 2010-05-11 15:14 -------- d-----w- c:\program files\QuickTime

2010-05-11 15:10 . 2010-05-11 15:10 -------- d-----w- c:\program files\Bonjour

2010-05-11 15:08 . 2010-05-11 15:08 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-05-02 15:43 . 2010-05-07 13:43 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18

2010-05-02 06:34 . 2010-05-02 15:47 -------- d-----w- c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw

2010-04-22 15:10 . 2010-04-22 15:10 -------- d-----w- c:\windows\hpojp8500a909

2010-04-22 15:09 . 2008-08-12 17:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-04-22 15:09 . 2008-08-12 17:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll

2010-04-22 15:09 . 2008-08-22 04:24 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-04-22 15:09 . 2008-10-06 11:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-04-22 15:09 . 2007-07-09 10:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-04-22 15:09 . 2007-07-09 10:13 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-04-22 15:09 . 2007-07-06 10:48 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-04-22 15:09 . 2008-10-06 11:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-04-22 15:08 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys

2010-04-22 15:06 . 2010-04-22 15:06 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-22 14:43 . 2010-04-22 15:25 131434 ----a-w- c:\windows\hpwins22.dat

2010-04-22 14:43 . 2008-10-25 02:28 1075 ------w- c:\windows\hpwmdl22.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-16 12:07 . 2006-08-17 09:42 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-05-11 15:18 . 2007-11-19 01:25 -------- d-----w- c:\program files\iTunes

2010-05-11 15:17 . 2006-09-08 04:59 -------- d-----w- c:\program files\iPod

2010-05-11 15:17 . 2007-11-19 01:23 -------- d-----w- c:\program files\Common Files\Apple

2010-05-09 01:27 . 2007-11-18 21:18 -------- d---a-w- c:\documents and settings\Lonnie Hastings\Application Data\Skype

2010-05-09 00:28 . 2007-11-18 21:19 -------- d-----w- c:\documents and settings\Lonnie Hastings\Application Data\skypePM

2010-05-07 19:45 . 2009-03-01 22:14 -------- d--h--w- c:\documents and settings\Lonnie Hastings\Application Data\gtk-2.0

2010-05-02 20:50 . 2009-08-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 22:39 . 2009-08-03 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-08-03 13:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-16 15:33 . 2009-10-26 06:27 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-16 15:33 . 2008-12-04 00:52 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-08 00:42 . 2007-11-15 07:58 -------- d-----w- c:\program files\McAfee

2010-03-28 05:32 . 2006-08-17 09:42 -------- d-----w- c:\program files\Picasa2

2010-03-28 05:30 . 2006-08-17 09:42 -------- d-----w- c:\program files\Google

2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 06:05 . 1980-01-01 07:00 668672 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 06:05 . 1980-01-01 07:00 81920 ------w- c:\windows\system32\ieencode.dll

2010-02-24 12:31 . 1980-01-01 07:00 454016 ------w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 16:56 . 2009-10-22 21:57 217088 ----a-w- c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

2010-02-16 17:35 . 1980-01-01 07:00 2143744 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 16:57 . 2004-08-04 05:59 2021888 ------w- c:\windows\system32\ntkrnlpa.exe

2006-10-04 18:42 . 2006-10-04 18:42 774144 ------w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-05-16_16.20.29 )))))))))))))))))))))))))))))))))))))))))

.

- 2010-05-13 18:46 . 2010-05-16 12:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-05-13 18:46 . 2010-05-16 16:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-08-27 11:40 . 2010-05-16 16:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-08-27 11:40 . 2010-05-16 12:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-05-16 16:38 . 2010-05-16 16:38 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-26 67128]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]

"TpShocks"="TpShocks.exe" [2005-11-07 106496]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]

"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-11-24 106496]

"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]

"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]

"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-16 492840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Lonnie Hastings\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IBM\\TeamConcert\\client\\eclipse\\jdk\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=

"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

"AllowOutboundDestinationUnreachable"= 1 (0x1)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 9:36 PM 93320]

R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968]

R2 StarlightService;Starlight Server;c:\program files\Future Point\Starlight\Bin\SLServerRepository.exe [5/8/2009 9:14 AM 811008]

R2 StarlightXEEService;Starlight XEE Service;c:\program files\Future Point\XEE\Bin\SLXee2ServiceU.exe [5/8/2009 9:19 AM 122880]

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]

S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/26/2008 5:58 PM 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/26/2008 5:58 PM 7680]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/26/2008 5:58 PM 23680]

S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/18/2007 7:53 PM 31512]

S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 13840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-15 19:22]

2010-05-16 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-17 08:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\

FF - component: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\browserhighlighter@ebay.com\components\Shim.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\Firefox\Profiles\bpgu1pxj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Lonnie Hastings\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\,** ]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(4324)

c:\windows\system32\PROCHLP.DLL

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-16 09:45:49

ComboFix-quarantined-files.txt 2010-05-16 16:45

ComboFix2.txt 2010-05-16 16:23

ComboFix3.txt 2010-05-13 15:45

ComboFix4.txt 2009-09-22 16:10

Pre-Run: 21,384,581,120 bytes free

Post-Run: 21,362,003,968 bytes free

- - End Of File - - 21A79A20FD8CEC0E104D1A6D79156967

[kahdah]

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off

rd /q /s "c:\documents and settings\Lonnie Hastings\Application Data\1F930E4D7330697CD6E6FD6F88246F18"
rd /q /s "c:\documents and settings\Lonnie Hastings\Local Settings\Application Data\qylfpippw"
del %0

Then please double click on fixthis.bat a window will open and close quickly.This is normal.

=======================

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[lonnie]

here is the ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=e828fc0b45f6f349b114a3fc26ab3566

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-05-16 07:14:44

# local_time=2010-05-16 12:14:44 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=5121 16776869 100 96 3270625 26864051 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=100570

# found=1

# cleaned=1

# scan_time=6356

C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP149\A0037349.sys a variant of Win32/Olmarik.TN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

and the malwarebytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4106

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

5/16/2010 10:16:35 AM

mbam-log-2010-05-16 (10-16-35).txt

Scan type: Quick scan

Objects scanned: 120058

Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)