Jump to content

Recommended Posts

Ok,

I have a Dell inspiron 6400 laptop running XP sp2.

After auto downloading sp3, the laptop would not boot in any mode.

I reinstalled sp2 and began to notice a lot of redirects from browser searches.

I have run Mbam, Hijack This, DDS, GMER, Super anti Spyware& Tdss Killer

Some things have been detected & 'corrected', but the tdss still appears in subsequent tdsskiller scans.

(tdss.tdl4 (Hard Drive0/MBR)

Below is a DDS and GMER log. I have logs from Mbam, Hijack this & Tdss Killer if needed as well.

I would appreciate any help. I have two other computers showing signs of similar infection, but will tackle this one first.

Thank you very much.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Norman Crow at 15:31:46.89 on Wed 09/22/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.763 [GMT -5:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\dlcxcoms.exe

C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\Common Files\AOL\1174849192\ee\AOLSoftware.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\TDxVGAUTIL.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Norman Crow\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100803111818.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"

mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"

mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s

mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe

mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe

mRun: [HostManager] c:\program files\common files\aol\1174849192\ee\AOLSoftware.exe

mRun: [TDxVGAUTIL] c:\windows\system32\TDxVGAUTIL.EXE

mRun: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON

mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [QuickBooksDB19] c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -n qb_nlaptop_19 -qs -gd all -gk all -gp 4096 -gu all -ch 128m -c 64m -x tcpip(broadcastlistener=no;port=55333) -ti 0 -ec simple -qi -qw -tl 120 -oe c:\docume~1\alluse~1\applic~1\intuit\quickb~2\DBSTAR~1.LOG -y

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16

mRun: [sigmatelSysTrayApp] stsystra.exe

StartupFolder: c:\docume~1\norman~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mile.webex.com/client/T27L/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {54A35DCA-211D-48CA-B618-CC0777B7DDB0} = 66.184.128.38,207.230.75.50

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll

Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {FDC32A47-A70D-4F9E-97DD-7E08EA9C6BF8} - rundll32.exe "c:\documents and settings\norman crow\application data\bitrix security\fadosvlk.dll", DllUnrer

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\norman~1\applic~1\mozilla\firefox\profiles\7enaiomx.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/

FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-2-20 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]

R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-2-20 14144]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]

R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-2-20 144704]

R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-2-20 282824]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-15 1247600]

R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2008-2-20 79816]

R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2008-2-20 35272]

R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [2007-3-29 233984]

R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2007-3-29 234496]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2007-3-29 27135]

S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2008-2-20 34248]

S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [2007-3-29 22528]

S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

=============== Created Last 30 ================

2010-09-22 16:18:14 0 d-----w- c:\program files\Trend Micro

2010-09-21 16:58:50 0 d-----w- C:\TDSSKiller_Quarantine

2010-09-21 14:28:11 0 d-----w- c:\windows\pss

2010-09-21 13:26:50 0 d-----w- c:\docume~1\norman~1\applic~1\Bitrix Security

2010-09-21 04:31:27 47616 ---ha-w- c:\windows\system32\boots-sd.dll

2010-09-20 15:43:50 0 d-----w- c:\docume~1\norman~1\applic~1\SUPERAntiSpyware.com

2010-09-20 15:43:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-09-20 15:43:41 0 d-----w- c:\program files\SUPERAntiSpyware

2010-09-19 12:47:49 926 ----a-w- C:\MFW8.xml

2010-09-19 00:25:27 1630 ----a-w- C:\MFW7.xml

2010-09-18 22:38:08 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-18 22:38:08 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-18 19:59:43 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-09-18 19:59:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-09-18 13:41:37 0 d-----w- c:\windows\system32\LogFiles

2010-09-18 13:41:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2010-09-18 00:03:02 0 d-----w- C:\9a9d5fba148b37cfcfc75b

2010-09-17 16:17:31 0 d-----w- c:\docume~1\norman~1\applic~1\Malwarebytes

2010-09-17 16:17:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-17 16:17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-17 16:17:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-17 16:17:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-17 12:19:59 4096 -c--a-w- c:\windows\system32\dllcache\rpcref.dll

2010-09-17 12:18:59 81976 -c--a-w- c:\windows\system32\dllcache\imjpdct.dll

2010-09-17 12:17:59 9728 -c--a-w- c:\windows\system32\dllcache\change.exe

2010-09-17 12:16:59 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll

2010-09-17 12:14:40 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2010-09-17 12:14:32 749 ---ha-r- c:\windows\WindowsShell.Manifest

2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2010-09-17 12:14:32 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2010-09-17 12:14:09 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-09-17 12:13:32 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll

2010-09-17 12:13:31 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe

2010-09-17 12:13:31 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe

2010-09-17 12:13:31 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe

2010-09-16 16:26:24 2145386496 ----a-w- c:\windows\MEMORY.DMP

2010-09-16 16:26:24 0 d-----w- c:\windows\dell

==================== Find3M ====================

2010-09-17 12:12:21 23428 -c--a-w- c:\windows\system32\emptyregdb.dat

2010-08-31 20:18:16 6840 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:43:50.79 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-23 11:43:19

Windows 5.1.2600 Service Pack 2

Running: mj97nhtw.exe; Driver: C:\DOCUME~1\NORMAN~1\LOCALS~1\Temp\fxddqpoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1347620]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB128878A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1288738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB128874C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB12887CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1288710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1288724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB128879E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB1288776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB1288762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB12887F9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB12887E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB12887B4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503DD0 7 Bytes JMP B12887B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80577E48 5 Bytes JMP B128878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B09B6 7 Bytes JMP B12887CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B17C4 5 Bytes JMP B12887E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6D8A 7 Bytes JMP B12887A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805C9C64 5 Bytes JMP B1288714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805C9EF0 5 Bytes JMP B1288728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC6AE 5 Bytes JMP B1288766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF984 7 Bytes JMP B1288750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805CFA3A 5 Bytes JMP B128873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805CFF5C 5 Bytes JMP B128877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D118C 5 Bytes JMP B12887FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 011F0000

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 011F0FB9

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 011F00AE

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 011F0087

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 011F0076

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 011F004A

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011F00C9

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 011F0F81

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 011F00F5

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 011F00DA

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 011F0106

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 011F005B

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 011F0FE5

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 011F0FA8

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 011F0025

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 011F0FD4

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 011F0F66

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 011E001B

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 011E006C

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 011E000A

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 011E0FD4

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 011E0051

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 011E0FAF

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 011E0FE5

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 011E0036

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011D0031

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!system 77C293C7 5 Bytes JMP 011D0FA6

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011D0FB7

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011D0FEF

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011D0016

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011D0FDE

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 011C0000

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 011C0FEF

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 011C0025

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 011C0040

.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[248] WS2_32.dll!socket 01143B91 5 Bytes JMP 011B0FEF

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01370000

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01370F91

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01370FB6

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01370084

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01370069

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01370058

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013700C6

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01370F80

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013700FC

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01370F63

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01370117

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01370FD1

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01370011

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 013700A1

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01370033

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01370022

.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 013700E1

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30FB4

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D3003F

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D3001D

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D3002E

.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01360025

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01360F8D

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01360FD4

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01360FEF

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0136004A

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01360FA8

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0136000A

.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01360FB9

.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00D20FEF

.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00D2000A

.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00D20FD4

.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00D20FB9

.text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00000

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE000A

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0F52

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F6D

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0047

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE0036

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0025

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE0076

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE0F24

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE0EF8

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE0091

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00FE00AC

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00FE0F94

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00FE0F41

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00FE0FC3

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00FE0FD4

.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00FE0F09

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D30FD4

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D30F79

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D30025

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D30FE5

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D30F94

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D30FA5

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D3000A

.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D30036

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20027

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20FA6

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC1

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20016

.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FDE

.text C:\WINDOWS\system32\lsass.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00FEF

.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00D10FEF

.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00D10FD4

.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00D1000A

.text C:\WINDOWS\system32\lsass.exe[808] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00D10FAF

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 024A0FEF

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 024A004A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 024A0F4B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 024A002F

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 024A0F72

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 024A0F9E

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 024A005B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 024A0F13

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 024A0076

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 024A0EDD

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 024A0EC2

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 024A0F8D

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 024A0FDE

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 024A0F3A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 024A0014

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 024A0FC3

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 024A0EF8

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02480FCA

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0248006C

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02480025

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02480FEF

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02480051

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02480040

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0248000A

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02480FB9

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02470FAD

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 02470038

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02470FD9

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0247000C

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02470FC8

.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0247001D

.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 02460FEF

.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 0246000A

.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 02460FD4

.text C:\WINDOWS\system32\svchost.exe[1048] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 0246001B

.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02450FEF

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EB0FEF

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EB0080

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EB005B

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EB004A

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EB0F8D

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EB0FAF

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EB0F53

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EB009B

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EB00E2

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EB00D1

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00EB0F24

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00EB0F9E

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00EB000A

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00EB0F70

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00EB001B

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00EB0FD4

.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00EB00C0

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EA0011

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EA0065

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EA0FCA

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EA0000

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EA0F9E

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EA0040

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EA0FEF

.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EA0FAF

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E9002F

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FA4

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FC6

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FE3

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FB5

.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90000

.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00E80FEF

.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00E80FD4

.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00E8000A

.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00E80FC3

.text C:\WINDOWS\system32\svchost.exe[1120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E7000A

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A8000A

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A9000A

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A7000C

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03A20FE5

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03A20053

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03A20038

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03A20F5E

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03A20F79

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03A20FA5

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03A20089

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03A20F43

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 03A20F0B

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03A20F1C

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 03A20EF0

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 03A20F8A

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 03A20FCA

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 03A2006E

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 03A20011

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 03A20000

.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 03A2009A

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 03A10011

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 03A10062

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 03A10FCA

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 03A10FE5

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 03A10047

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 03A10036

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 03A10000

.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 03A10FA5

.text C:\WINDOWS\System32\svchost.exe[1164] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 015F000A

.text C:\WINDOWS\System32\svchost.exe[1164] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 014B000A

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03A00053

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 03A00042

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03A00FC8

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03A00000

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03A0001D

.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03A00FE3

.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 039F000A

.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 039F0025

.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 039F0036

.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 039F0047

.text C:\WINDOWS\System32\svchost.exe[1164] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 039E0FEF

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A6000A

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A60FAF

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A600A4

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A60FC0

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A60073

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A60051

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A600ED

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A600DC

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A60F6F

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A60F8A

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A60F54

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A60062

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A60025

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A600B5

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A60040

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A60FEF

.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A60108

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A50FB9

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A50F7C

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A50FD4

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A50000

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A50039

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A50F97

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A50FEF

.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A50FA8

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40038

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40FA3

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FD9

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A4000C

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FC8

.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A4001D

.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00A30FEF

.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00A30FD4

.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00A3000A

.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00A30025

.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FE5

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E70FEF

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E70F64

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E70F75

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E70F86

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E70039

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E70FA8

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E70F49

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E7008F

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E700B6

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E70F1D

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00E70F02

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00E70F97

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00E70FD4

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00E70074

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00E70FC3

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00E7000A

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00E70F38

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E60025

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E60FA1

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E60FDE

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E60FEF

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E60FB2

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E60054

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E60000

.text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E60FC3

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50047

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FB2

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50022

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FEF

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FCD

.text C:\WINDOWS\system32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FDE

.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00E40FEF

.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00E40FD4

.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00E40014

.text C:\WINDOWS\system32\svchost.exe[1344] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00E40FC3

.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0FEF

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A2000A

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20098

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A2007D

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20062

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A20051

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20FB9

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F6D

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A200B5

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A200F5

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A200DA

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A20F41

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A20040

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A20FEF

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A20F88

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A20025

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A20FD4

.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A20F5C

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10036

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A10FB9

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10025

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A10FE5

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10076

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10FCA

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A1000A

.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A10047

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FB7

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00038

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0000C

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A0001D

.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FDE

.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 009F0000

.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 009F0FE5

.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 009F0FD4

.text C:\WINDOWS\system32\svchost.exe[2052] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 009F0025

.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 01C3000A

.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 01C4000A

.text C:\WINDOWS\Explorer.EXE[2144] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0157000C

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01E30000

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01E30090

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E30F9B

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01E30FB6

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01E30073

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01E30051

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01E300D2

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01E300B7

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01E300E3

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01E30F54

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01E30F25

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01E30062

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01E3001B

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01E30F8A

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01E30036

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01E30FE5

.text C:\WINDOWS\Explorer.EXE[2144] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 01E30F6F

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E10053

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E10042

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E10FD2

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E10FEF

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E10031

.text C:\WINDOWS\Explorer.EXE[2144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E10000

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01E2001E

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01E2004A

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01E20FC3

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01E20FD4

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01E20F8D

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01E2002F

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01E20FEF

.text C:\WINDOWS\Explorer.EXE[2144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01E20FA8

.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01E00000

.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01E0001B

.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01E00036

.text C:\WINDOWS\Explorer.EXE[2144] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01E00047

.text C:\WINDOWS\Explorer.EXE[2144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01DF0FE5

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\palmOne\HOTSYNC.EXE[5704] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Please run TDSSKiller again and let it cure all infections it find.

After that, download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.