Jump to content

search redirector and GMER won't run


fleetdog

Recommended Posts

I ran mbam, defogger, dds and attempted to run gmer but everytime I start gmer something else spins up and ties up the processor to the point that the scan can't do anything. Here are the logs from the other tools though:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4710

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

9/28/2010 1:29:49 PM

mbam-log-2010-09-28 (13-29-49).txt

Scan type: Quick scan

Objects scanned: 136915

Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lauren and Ben at 7:28:50.09 on Tue 09/28/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21

Microsoft

Attach.zip

Link to post
Share on other sites

Welcome to the forum.

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change This Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

---------------------------------------------

Next....please run ComboFix:

A few notes first:

  • ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7 (32-bit only).
    ComboFix must be run from an Administrative account.
    Vista and W7 users - Right click, choose "Run as Administrator"
    It must be downloaded and run from your desktop.
    Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

---------------------------

Download ComboFix from one of these locations:

Link 1

Link 2

ComboFix Guide <---please read!

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Thank you very much for helping me with this. I was eventually able to run GMER the other day but I couldn't figure out how to edit my post and we're not supposed to reply in the first 48 hours.

I ran the 2 tools you requested but when combofix was finished, there was a message box with the title of "TBIA" and a message of "Access Denied". I'm not sure what that means but the only option was "OK".

Below are the logs from GMER, TDSSKiller, and ComboFix in that order:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-28 17:39:53

Windows 6.0.6001 Service Pack 1

Running: ljkh12jk.exe; Driver: C:\Users\LAUREN~1\AppData\Local\Temp\kxxyipog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x807BF068]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x807BF092]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x807BF07E]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x807BF054]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8242A1C0 5 Bytes JMP 807BF058 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 825E5FBC 5 Bytes JMP 807BF096 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 8262780E 7 Bytes JMP 807BF06C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82627E65 5 Bytes JMP 807BF082 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BC01340, 0x2926E7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[676] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 0024000A

.text C:\Windows\system32\services.exe[676] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00240FEF

.text C:\Windows\system32\services.exe[676] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00240025

.text C:\Windows\system32\services.exe[676] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 002300A0

.text C:\Windows\system32\services.exe[676] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00230085

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 002300D6

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00230F3F

.text C:\Windows\system32\services.exe[676] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00230060

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00230014

.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00230F7C

.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 0023002F

.text C:\Windows\system32\services.exe[676] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00230F6B

.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00230F97

.text C:\Windows\system32\services.exe[676] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00230FA8

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00230F5A

.text C:\Windows\system32\services.exe[676] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00230F24

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00230FDE

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00230FEF

.text C:\Windows\system32\services.exe[676] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00230FC3

.text C:\Windows\system32\services.exe[676] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 002300B1

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00540F8D

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00540FC3

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00540000

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00540FA8

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00540F7C

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00540FD4

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00540FE5

.text C:\Windows\system32\services.exe[676] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00540025

.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 002E0056

.text C:\Windows\system32\services.exe[676] msvcrt.dll!system 76598B63 5 Bytes JMP 002E0FC1

.text C:\Windows\system32\services.exe[676] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 002E0FD2

.text C:\Windows\system32\services.exe[676] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 002E000C

.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 002E0027

.text C:\Windows\system32\services.exe[676] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 002E0FE3

.text C:\Windows\system32\services.exe[676] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00550FEF

.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 001C0FEF

.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 001C0FCD

.text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 001C0FDE

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 001B00A4

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 001B0F5E

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 001B00C6

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 001B00B5

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 001B0F9B

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 001B0036

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 001B0FB6

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 001B0062

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 001B0F8A

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 001B0073

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 001B0051

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 001B0F79

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 001B00D7

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 001B000A

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 001B0FEF

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 001B001B

.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 001B0F39

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 005A005B

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 005A0FCA

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 005A000A

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 005A0FB9

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 005A006C

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 005A0036

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 005A0025

.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 005A0FE5

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 001D002A

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 76598B63 5 Bytes JMP 001D0F95

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 001D0FC1

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 001D0FE3

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 001D0FB0

.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 001D0FD2

.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 77E836D1 5 Bytes JMP 005B0000

.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 007B0FEF

.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 007B000A

.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 007B0FD4

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00180090

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 0018007F

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 00180F14

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 001800AB

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00180F6F

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00180011

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00180F80

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00180033

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00180064

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00180F91

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00180022

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00180F54

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 001800C6

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00180FE5

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00180000

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00180FCA

.text C:\Windows\system32\svchost.exe[888] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00180F25

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 007C0FB2

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!system 76598B63 5 Bytes JMP 007C0033

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 007C0FDE

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 007C0FEF

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 007C0FC3

.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 007C000C

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 007D0FB9

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 007D0036

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 007D0FEF

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 007D0051

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 007D0FA8

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 007D0014

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 007D0FDE

.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 007D0025

.text C:\Windows\system32\svchost.exe[888] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00C80000

.text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00330000

.text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00330022

.text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00330011

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00210F88

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00210F99

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 0021010E

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 002100E9

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00210084

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00210036

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00210FAA

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00210058

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 002100A9

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00210073

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00210047

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 002100BA

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00210F5C

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 0021001B

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00210000

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00210FE5

.text C:\Windows\system32\svchost.exe[972] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00210F77

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00340FC8

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!system 76598B63 5 Bytes JMP 00340049

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 0034001D

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00340000

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00340038

.text C:\Windows\system32\svchost.exe[972] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00340FE3

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00350FB2

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00350FC3

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00350000

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00350054

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00350FA1

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0035001B

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00350FE5

.text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00350FD4

.text C:\Windows\system32\svchost.exe[972] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00930FEF

.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 001D0FEF

.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 001D0FC3

.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 001D0FD4

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 001B0F4E

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 001B008A

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 001B00C0

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 001B0F33

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 001B0065

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 001B002F

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 001B0F8B

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 001B004A

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 001B0F7A

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 001B0FA8

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 001B0FC3

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 001B0F5F

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 001B00E5

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 001B0FDE

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 001B0FEF

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 001B0014

.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 001B00AF

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00670FA6

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!system 76598B63 5 Bytes JMP 00670FB7

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00670FE3

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00670000

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00670FC8

.text C:\Windows\System32\svchost.exe[1112] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00670011

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00680F80

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00680FAF

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00680000

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 0068002C

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 0068003D

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00680FC0

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00680FE5

.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0068001B

.text C:\Windows\System32\svchost.exe[1112] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00690000

.text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00CD0FE5

.text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00CD0014

.text C:\Windows\System32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00CD0FD4

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00CA00BB

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00CA0F6B

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 00CA0F5A

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00CA00F1

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00CA0071

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00CA0FD4

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00CA0F8D

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00CA0FA8

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 77A88D7E 1 Byte [E9]

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00CA0082

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00CA004A

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00CA0FC3

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00CA0F7C

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00CA0F3F

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00CA0014

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00CA0FEF

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00CA0025

.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00CA00CC

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00CE0049

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!system 76598B63 5 Bytes JMP 00CE0038

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00CE001D

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00CE0FEF

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00CE0FC8

.text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00CE0000

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 01180FAF

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 01180FC0

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 01180000

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 01180051

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 01180F94

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0118002C

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 0118001B

.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 01180FD1

.text C:\Windows\System32\svchost.exe[1144] WS2_32.dll!socket 77E836D1 5 Bytes JMP 01190FE5

.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00DD0FEF

.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00DD0FCD

.text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00DD0FDE

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00D0009B

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00D00076

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 00D00F30

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00D000BD

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00D00F81

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00D00FB9

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00D00F9E

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00D00040

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00D00F66

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00D00051

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00D0002F

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00D00F4B

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00D000D8

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00D0000A

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00D00FEF

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00D00FD4

.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00D000AC

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00DE0038

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!system 76598B63 5 Bytes JMP 00DE0FAD

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00DE0FD2

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00DE0000

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00DE001D

.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00DE0FE3

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00DF004A

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00DF001E

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00DF0FEF

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00DF002F

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00DF005B

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00DF0FC3

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00DF0FDE

.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00DF0FA8

.text C:\Windows\system32\svchost.exe[1220] WS2_32.dll!socket 77E836D1 5 Bytes JMP 01040000

.text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00C00FEF

.text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00C00025

.text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00C0000A

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 008C0F88

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 008C00CE

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 008C0F63

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 008C0104

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 008C007D

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 008C001B

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 008C006C

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 008C0040

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 008C008E

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 008C005B

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 008C0FB9

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 008C00A9

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 008C011F

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 008C0FCA

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 008C0FEF

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 008C000A

.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 008C00DF

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00C10F92

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!system 76598B63 5 Bytes JMP 00C10FAD

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00C10FC8

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00C10000

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00C1001D

.text C:\Windows\system32\svchost.exe[1344] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00C10FE3

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00C80062

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00C80FDB

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00C80000

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00C80FCA

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00C80FA5

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00C8002C

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00C8001B

.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00C80047

.text C:\Windows\system32\svchost.exe[1344] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00C90000

.text C:\Windows\system32\svchost.exe[1344] WinInet.dll!InternetOpenA 76890A4D 5 Bytes JMP 00C70000

.text C:\Windows\system32\svchost.exe[1344] WinInet.dll!InternetOpenUrlA 76892713 5 Bytes JMP 00C70025

.text C:\Windows\system32\svchost.exe[1344] WinInet.dll!InternetOpenW 768930C8 5 Bytes JMP 00C70FE5

.text C:\Windows\system32\svchost.exe[1344] WinInet.dll!InternetOpenUrlW 768E84F1 5 Bytes JMP 00C70FD4

.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 01E50FEF

.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 01E5000A

.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 01E50FD4

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00D30085

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00D30F3F

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 00D30F09

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00D300A0

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00D30F6B

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00D30F9E

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00D30039

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00D3001E

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00D30F5A

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00D30F7C

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00D30F8D

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00D3006A

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00D300BB

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00D30FD4

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00D30FEF

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00D30FB9

.text C:\Windows\system32\svchost.exe[1492] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00D30F24

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 02690FB7

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!system 76598B63 5 Bytes JMP 02690038

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 02690FD2

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 02690000

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 02690027

.text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 02690FE3

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 026A0FC3

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 026A005B

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 026A0FEF

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 026A0FD4

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 026A0076

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 026A002F

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 026A000A

.text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 026A0040

.text C:\Windows\system32\svchost.exe[1492] WS2_32.dll!socket 77E836D1 5 Bytes JMP 02730FEF

.text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 030E0000

.text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 030E0022

.text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 030E0011

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 030D0F57

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 030D009D

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 030D0F32

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 030D00C9

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 030D0071

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 030D0FB9

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 030D0060

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 030D0F97

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!VirtualProtectEx 77A88D7E 1 Byte [E9]

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 030D0082

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 030D0039

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 030D0FA8

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 030D0F72

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 030D0F21

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 030D000A

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 030D0FEF

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 030D0FCA

.text C:\Windows\Explorer.EXE[1888] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 030D00AE

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 02F60076

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 02F60047

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 02F60000

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 02F60FCA

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 02F60091

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 02F6001B

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 02F60FE5

.text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 02F60036

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 03100050

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!system 76598B63 5 Bytes JMP 0310003F

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 0310002E

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 03100000

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 03100FCF

.text C:\Windows\Explorer.EXE[1888] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 0310001D

.text C:\Windows\Explorer.EXE[1888] WS2_32.dll!socket 77E836D1 5 Bytes JMP 03190FEF

.text C:\Windows\Explorer.EXE[1888] WININET.dll!InternetOpenA 76890A4D 5 Bytes JMP 03120FEF

.text C:\Windows\Explorer.EXE[1888] WININET.dll!InternetOpenUrlA 76892713 5 Bytes JMP 03120FB9

.text C:\Windows\Explorer.EXE[1888] WININET.dll!InternetOpenW 768930C8 5 Bytes JMP 03120FD4

.text C:\Windows\Explorer.EXE[1888] WININET.dll!InternetOpenUrlW 768E84F1 5 Bytes JMP 03120014

.text C:\Windows\system32\svchost.exe[2552] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 009A0000

.text C:\Windows\system32\svchost.exe[2552] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 009A0FCA

.text C:\Windows\system32\svchost.exe[2552] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 009A0FE5

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 009900A2

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00990F5C

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 009900BD

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00990F30

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00990073

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 0099003D

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00990062

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00990FB6

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00990F7E

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00990FA5

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00990FD1

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00990F6D

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00990F01

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 0099001B

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00990000

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 0099002C

.text C:\Windows\system32\svchost.exe[2552] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00990F41

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00920F9E

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!system 76598B63 5 Bytes JMP 00920FB9

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00920029

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00920FEF

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00920FD4

.text C:\Windows\system32\svchost.exe[2552] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00920018

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00970036

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00970FAF

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00970000

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00970F94

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00970047

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00970FCA

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00970FE5

.text C:\Windows\system32\svchost.exe[2552] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00970025

.text C:\Windows\system32\svchost.exe[2552] WS2_32.dll!socket 77E836D1 5 Bytes JMP 009B0000

.text C:\Windows\system32\svchost.exe[3040] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00660000

.text C:\Windows\system32\svchost.exe[3040] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 0066001B

.text C:\Windows\system32\svchost.exe[3040] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00660FE5

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 00610F37

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00610F52

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 006100C4

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 006100A9

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00610F81

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 0061000A

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 0061005B

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00610F9E

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00610076

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 00610040

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 0061001B

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00610087

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00610F12

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00610FD4

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00610FEF

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00610FB9

.text C:\Windows\system32\svchost.exe[3040] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00610098

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00070042

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!system 76598B63 5 Bytes JMP 00070027

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00070016

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00070FE3

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00070FC1

.text C:\Windows\system32\svchost.exe[3040] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00070FD2

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 005E0F91

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 005E0033

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 005E0000

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 005E0FAC

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 005E0F80

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 005E0011

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 005E0FDB

.text C:\Windows\system32\svchost.exe[3040] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 005E0022

.text C:\Windows\system32\svchost.exe[3040] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00670FEF

.text C:\Windows\system32\svchost.exe[3360] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00C9000A

.text C:\Windows\system32\svchost.exe[3360] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 00C90FDE

.text C:\Windows\system32\svchost.exe[3360] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 00C90FEF

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 008B0F5A

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 008B0F6B

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 008B00D6

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 008B00C5

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 008B0060

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 008B0FC3

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 008B0043

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 008B0FA1

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 008B007B

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 008B0F90

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 008B0FB2

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 008B008C

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 008B00E7

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 008B000A

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 008B0FEF

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 008B0FD4

.text C:\Windows\system32\svchost.exe[3360] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 008B0F3F

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00300FB7

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!system 76598B63 5 Bytes JMP 00300FC8

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 00300027

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 00300FEF

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00300038

.text C:\Windows\system32\svchost.exe[3360] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 0030000C

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 008A0F94

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 008A0FB9

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 008A0000

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 008A0040

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 008A0F79

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 008A0FEF

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 008A001B

.text C:\Windows\system32\svchost.exe[3360] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 008A0FD4

.text C:\Windows\system32\svchost.exe[3360] WS2_32.dll!socket 77E836D1 5 Bytes JMP 00CA0FE5

.text C:\Windows\System32\svchost.exe[3388] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 00080FEF

.text C:\Windows\System32\svchost.exe[3388] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 0008002F

.text C:\Windows\System32\svchost.exe[3388] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 0008000A

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 000700B0

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 00070F6A

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 000700F0

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 000700D5

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00070070

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 0007002C

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 0007005F

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 0007003D

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00070F7B

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 0007004E

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00070FC0

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 0007008B

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 00070101

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00070FDB

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00070000

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 0007001B

.text C:\Windows\System32\svchost.exe[3388] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 00070F59

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 0005003F

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!system 76598B63 5 Bytes JMP 00050FB4

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 0005001D

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 0005000C

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 0005002E

.text C:\Windows\System32\svchost.exe[3388] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00050FEF

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00060F9E

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 0006002F

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00060FEF

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 0006004A

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00060065

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00060FD4

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 0006000A

.text C:\Windows\System32\svchost.exe[3388] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00060FC3

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3692] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 694D9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3692] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 694D9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Windows\system32\wuauclt.exe[4268] ntdll.dll!NtCreateFile 77D28008 5 Bytes JMP 0004000A

.text C:\Windows\system32\wuauclt.exe[4268] ntdll.dll!NtCreateProcess 77D280C8 5 Bytes JMP 0004002C

.text C:\Windows\system32\wuauclt.exe[4268] ntdll.dll!NtProtectVirtualMemory 77D28968 5 Bytes JMP 0004001B

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!GetStartupInfoW 77A61929 5 Bytes JMP 000100B8

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!GetStartupInfoA 77A619C9 5 Bytes JMP 000100A7

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateProcessW 77A61C01 5 Bytes JMP 00010F3C

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateProcessA 77A61C36 5 Bytes JMP 00010F4D

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!VirtualProtect 77A61DD1 5 Bytes JMP 00010F8D

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateNamedPipeW 77A65C44 5 Bytes JMP 00010FB2

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!LoadLibraryExW 77A830C3 5 Bytes JMP 00010067

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!LoadLibraryW 77A8361F 5 Bytes JMP 00010039

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!VirtualProtectEx 77A88D7E 5 Bytes JMP 00010F7C

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!LoadLibraryExA 77A89469 5 Bytes JMP 0001004A

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!LoadLibraryA 77A89491 5 Bytes JMP 00010028

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreatePipe 77A90284 5 Bytes JMP 00010096

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!GetProcAddress 77AAB8B6 5 Bytes JMP 000100E4

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateFileW 77AACC4E 5 Bytes JMP 00010FD4

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateFileA 77AACF71 5 Bytes JMP 00010FEF

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!CreateNamedPipeA 77AF430E 5 Bytes JMP 00010FC3

.text C:\Windows\system32\wuauclt.exe[4268] kernel32.dll!WinExec 77AF54FF 5 Bytes JMP 000100C9

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!_wsystem 76598A47 5 Bytes JMP 00080FCA

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!system 76598B63 5 Bytes JMP 00080FE5

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!_creat 7659C6F1 5 Bytes JMP 0008003A

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!_open 7659DA7E 5 Bytes JMP 0008000C

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!_wcreat 7659DC9E 5 Bytes JMP 00080055

.text C:\Windows\system32\wuauclt.exe[4268] msvcrt.dll!_wopen 7659DE79 5 Bytes JMP 00080029

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00090069

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 0009003D

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00090FE5

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 0009004E

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00090FAC

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0009001B

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 0009000A

.text C:\Windows\system32\wuauclt.exe[4268] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0009002C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

The logs wouldn't all fit in one post. Here's TDSSKiller and ComboFix

2010/09/29 17:25:55.0473 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/29 17:25:55.0473 ================================================================================

2010/09/29 17:25:55.0473 SystemInfo:

2010/09/29 17:25:55.0473

2010/09/29 17:25:55.0473 OS Version: 6.0.6001 ServicePack: 1.0

2010/09/29 17:25:55.0473 Product type: Workstation

2010/09/29 17:25:55.0473 ComputerName: LAURENANDBEN-PC

2010/09/29 17:25:55.0473 UserName: Lauren and Ben

2010/09/29 17:25:55.0473 Windows directory: C:\Windows

2010/09/29 17:25:55.0473 System windows directory: C:\Windows

2010/09/29 17:25:55.0473 Processor architecture: Intel x86

2010/09/29 17:25:55.0473 Number of processors: 2

2010/09/29 17:25:55.0473 Page size: 0x1000

2010/09/29 17:25:55.0473 Boot type: Normal boot

2010/09/29 17:25:55.0473 ================================================================================

2010/09/29 17:25:56.0160 Initialize success

2010/09/29 17:25:59.0389 ================================================================================

2010/09/29 17:25:59.0389 Scan started

2010/09/29 17:25:59.0389 Mode: Manual;

2010/09/29 17:25:59.0389 ================================================================================

2010/09/29 17:26:01.0994 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys

2010/09/29 17:26:02.0306 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

2010/09/29 17:26:02.0774 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

2010/09/29 17:26:03.0149 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

2010/09/29 17:26:03.0679 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

2010/09/29 17:26:04.0428 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys

2010/09/29 17:26:04.0989 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys

2010/09/29 17:26:05.0286 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2010/09/29 17:26:05.0691 aliide (5c42a992e68724d2cd3ddb4fc3b0409f) C:\Windows\system32\drivers\aliide.sys

2010/09/29 17:26:06.0269 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys

2010/09/29 17:26:07.0080 amdide (849dfacdde533da5d1810f0caf84eb19) C:\Windows\system32\drivers\amdide.sys

2010/09/29 17:26:08.0156 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

2010/09/29 17:26:08.0921 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys

2010/09/29 17:26:09.0092 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

2010/09/29 17:26:09.0155 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

2010/09/29 17:26:09.0295 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

2010/09/29 17:26:09.0357 atapi (9e7e85ec61d1c9c3171cc08427108863) C:\Windows\system32\drivers\atapi.sys

2010/09/29 17:26:09.0716 athrusb (44fa26470d4c8123ccf71f4200b782d3) C:\Windows\system32\DRIVERS\athrusb.sys

2010/09/29 17:26:10.0059 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys

2010/09/29 17:26:10.0247 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

2010/09/29 17:26:10.0434 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys

2010/09/29 17:26:10.0481 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2010/09/29 17:26:10.0527 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2010/09/29 17:26:10.0574 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2010/09/29 17:26:10.0605 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2010/09/29 17:26:10.0652 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2010/09/29 17:26:10.0683 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2010/09/29 17:26:10.0761 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2010/09/29 17:26:10.0886 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

2010/09/29 17:26:11.0027 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys

2010/09/29 17:26:11.0105 cfwids (426ee59b25988bb3382fc0a3655deaa2) C:\Windows\system32\drivers\cfwids.sys

2010/09/29 17:26:11.0339 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys

2010/09/29 17:26:11.0573 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys

2010/09/29 17:26:11.0635 cmdide (de11a06e187756ecb86cfa82dac40ff7) C:\Windows\system32\drivers\cmdide.sys

2010/09/29 17:26:11.0853 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

2010/09/29 17:26:12.0056 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

2010/09/29 17:26:12.0087 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

2010/09/29 17:26:12.0181 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys

2010/09/29 17:26:12.0368 CVPNDRVA (8a8f14cded7187c39ab31cb34c65bceb) C:\Windows\system32\Drivers\CVPNDRVA.sys

2010/09/29 17:26:12.0524 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys

2010/09/29 17:26:12.0711 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys

2010/09/29 17:26:12.0805 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\Windows\system32\DLA\DLABMFSM.SYS

2010/09/29 17:26:12.0899 DLABOIOM (d4587063acea776699251e177d719586) C:\Windows\system32\DLA\DLABOIOM.SYS

2010/09/29 17:26:13.0023 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\Windows\system32\Drivers\DLACDBHM.SYS

2010/09/29 17:26:13.0117 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\Windows\system32\DLA\DLADResM.SYS

2010/09/29 17:26:13.0195 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\Windows\system32\DLA\DLAIFS_M.SYS

2010/09/29 17:26:13.0289 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\Windows\system32\DLA\DLAOPIOM.SYS

2010/09/29 17:26:13.0382 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\Windows\system32\DLA\DLAPoolM.SYS

2010/09/29 17:26:13.0491 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\Windows\system32\Drivers\DLARTL_M.SYS

2010/09/29 17:26:13.0694 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\Windows\system32\DLA\DLAUDFAM.SYS

2010/09/29 17:26:13.0788 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\Windows\system32\DLA\DLAUDF_M.SYS

2010/09/29 17:26:14.0006 DNE (8101650993b2f79118d2bf24402c390d) C:\Windows\system32\DRIVERS\dne2000.sys

2010/09/29 17:26:14.0084 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

2010/09/29 17:26:14.0147 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\Windows\system32\Drivers\DRVMCDB.SYS

2010/09/29 17:26:14.0271 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\Windows\system32\Drivers\DRVNDDM.SYS

2010/09/29 17:26:14.0427 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

2010/09/29 17:26:14.0490 dsunidrv (64fa28c15dd71a80bef3527e1ef07df6) C:\Program Files\DellSupport\Drivers\dsunidrv.sys

2010/09/29 17:26:14.0755 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys

2010/09/29 17:26:15.0083 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys

2010/09/29 17:26:15.0504 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

2010/09/29 17:26:15.0847 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys

2010/09/29 17:26:16.0159 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

2010/09/29 17:26:16.0346 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys

2010/09/29 17:26:16.0471 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys

2010/09/29 17:26:16.0565 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys

2010/09/29 17:26:16.0658 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

2010/09/29 17:26:16.0721 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

2010/09/29 17:26:16.0799 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2010/09/29 17:26:16.0955 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys

2010/09/29 17:26:17.0095 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

2010/09/29 17:26:17.0173 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

2010/09/29 17:26:17.0282 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys

2010/09/29 17:26:17.0376 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys

2010/09/29 17:26:17.0423 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2010/09/29 17:26:17.0485 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

2010/09/29 17:26:17.0610 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys

2010/09/29 17:26:17.0672 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

2010/09/29 17:26:17.0766 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys

2010/09/29 17:26:17.0953 HSXHWBS2 (ed98350ecd4a5a9c9f1e641c09872bb2) C:\Windows\system32\DRIVERS\HSXHWBS2.sys

2010/09/29 17:26:18.0171 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys

2010/09/29 17:26:18.0764 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

2010/09/29 17:26:18.0967 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

2010/09/29 17:26:19.0248 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

2010/09/29 17:26:19.0607 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2010/09/29 17:26:20.0527 intelide (1b16626beae3a52e611fc681cd796f86) C:\Windows\system32\drivers\intelide.sys

2010/09/29 17:26:20.0948 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys

2010/09/29 17:26:21.0494 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2010/09/29 17:26:21.0869 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

2010/09/29 17:26:21.0993 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

2010/09/29 17:26:22.0664 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

2010/09/29 17:26:23.0007 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys

2010/09/29 17:26:23.0943 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys

2010/09/29 17:26:24.0489 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2010/09/29 17:26:25.0363 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2010/09/29 17:26:27.0048 Jukebox3 (7c9259e4d0e98c99e30d7d8f0e548cff) C:\Windows\system32\DRIVERS\ctpdusb.sys

2010/09/29 17:26:27.0890 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

2010/09/29 17:26:28.0499 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys

2010/09/29 17:26:29.0825 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys

2010/09/29 17:26:30.0636 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

2010/09/29 17:26:31.0619 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

2010/09/29 17:26:32.0711 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

2010/09/29 17:26:32.0851 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

2010/09/29 17:26:32.0991 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

2010/09/29 17:26:34.0442 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\Windows\system32\DRIVERS\LVcKap.sys

2010/09/29 17:26:36.0096 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\Windows\system32\DRIVERS\LVMVDrv.sys

2010/09/29 17:26:36.0720 LVPr2Mon (c7ea51f1ab10b0b2b443f4d5589fc1a5) C:\Windows\system32\DRIVERS\LVPr2Mon.sys

2010/09/29 17:26:37.0656 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\Windows\system32\drivers\LVUSBSta.sys

2010/09/29 17:26:38.0826 MAUSBFT (af8ef3341db8a3aa922c3c2a453d5677) C:\Windows\system32\DRIVERS\mausbft.sys

2010/09/29 17:26:40.0043 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys

2010/09/29 17:26:40.0776 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

2010/09/29 17:26:41.0447 mfeapfk (5bd0c401a8ee4a54f6176c0a10d595ae) C:\Windows\system32\drivers\mfeapfk.sys

2010/09/29 17:26:41.0915 mfeavfk (f3bb4dc61b4dc662bdc778cf1634fae1) C:\Windows\system32\drivers\mfeavfk.sys

2010/09/29 17:26:43.0350 mfebopk (b1498db38d129ed31650422fc8bab9c5) C:\Windows\system32\drivers\mfebopk.sys

2010/09/29 17:26:43.0709 mfefirek (51e9ccea45c78858a229afb6e682cf41) C:\Windows\system32\drivers\mfefirek.sys

2010/09/29 17:26:44.0255 mfehidk (32f7298664874715ce469a79078853c4) C:\Windows\system32\drivers\mfehidk.sys

2010/09/29 17:26:45.0066 mfenlfk (e920bfd5837aed4aef903cf1c7d3949e) C:\Windows\system32\DRIVERS\mfenlfk.sys

2010/09/29 17:26:45.0456 mferkdet (858337b64484cd80eee7d2eba5ac61bc) C:\Windows\system32\drivers\mferkdet.sys

2010/09/29 17:26:46.0329 mfewfpk (dcfbf068951fb4086c6aef99c6330516) C:\Windows\system32\drivers\mfewfpk.sys

2010/09/29 17:26:47.0343 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

2010/09/29 17:26:47.0952 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

2010/09/29 17:26:49.0215 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

2010/09/29 17:26:49.0949 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

2010/09/29 17:26:50.0666 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

2010/09/29 17:26:51.0571 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

2010/09/29 17:26:52.0507 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

2010/09/29 17:26:53.0225 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2010/09/29 17:26:54.0410 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys

2010/09/29 17:26:55.0346 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys

2010/09/29 17:26:56.0844 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2010/09/29 17:26:57.0686 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2010/09/29 17:26:59.0121 msahci (0d1c042188ffe61a702a9df5944de5ba) C:\Windows\system32\drivers\msahci.sys

2010/09/29 17:26:59.0948 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

2010/09/29 17:27:00.0978 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

2010/09/29 17:27:02.0132 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys

2010/09/29 17:27:03.0068 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

2010/09/29 17:27:03.0864 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

2010/09/29 17:27:04.0503 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

2010/09/29 17:27:05.0346 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys

2010/09/29 17:27:05.0923 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys

2010/09/29 17:27:06.0188 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

2010/09/29 17:27:06.0750 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys

2010/09/29 17:27:07.0920 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys

2010/09/29 17:27:09.0074 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys

2010/09/29 17:27:10.0338 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

2010/09/29 17:27:10.0837 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

2010/09/29 17:27:11.0445 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys

2010/09/29 17:27:11.0960 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

2010/09/29 17:27:12.0631 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

2010/09/29 17:27:13.0068 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys

2010/09/29 17:27:13.0785 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2010/09/29 17:27:14.0628 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys

2010/09/29 17:27:15.0923 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

2010/09/29 17:27:17.0202 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys

2010/09/29 17:27:17.0420 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2010/09/29 17:27:17.0919 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

2010/09/29 17:27:18.0481 nvlddmkm (b02587fa997723297384c95f424e78fa) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2010/09/29 17:27:18.0871 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

2010/09/29 17:27:19.0027 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys

2010/09/29 17:27:19.0230 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys

2010/09/29 17:27:19.0464 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys

2010/09/29 17:27:19.0526 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2010/09/29 17:27:19.0604 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys

2010/09/29 17:27:19.0651 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2010/09/29 17:27:19.0791 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys

2010/09/29 17:27:19.0916 pciide (54d23dc5b5072311116826fdb7f6e83e) C:\Windows\system32\drivers\pciide.sys

2010/09/29 17:27:20.0103 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2010/09/29 17:27:20.0181 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2010/09/29 17:27:20.0353 pepifilter (c5d5ea6a29523e0f6016741e9851c6db) C:\Windows\system32\DRIVERS\lv302af.sys

2010/09/29 17:27:20.0712 PID_PEPI (3f96dcd4ac98c8e0d3c03c24fd49a2fe) C:\Windows\system32\DRIVERS\LV302V32.SYS

2010/09/29 17:27:21.0071 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

2010/09/29 17:27:21.0211 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

2010/09/29 17:27:21.0336 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys

2010/09/29 17:27:21.0383 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys

2010/09/29 17:27:21.0679 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

2010/09/29 17:27:22.0085 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2010/09/29 17:27:22.0163 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

2010/09/29 17:27:22.0303 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys

2010/09/29 17:27:22.0599 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

2010/09/29 17:27:22.0693 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

2010/09/29 17:27:22.0771 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys

2010/09/29 17:27:22.0849 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys

2010/09/29 17:27:22.0911 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys

2010/09/29 17:27:23.0005 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

2010/09/29 17:27:23.0130 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys

2010/09/29 17:27:23.0301 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

2010/09/29 17:27:23.0457 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys

2010/09/29 17:27:23.0567 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

2010/09/29 17:27:23.0645 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2010/09/29 17:27:23.0723 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2010/09/29 17:27:23.0785 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

2010/09/29 17:27:23.0972 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

2010/09/29 17:27:24.0066 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

2010/09/29 17:27:24.0159 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

2010/09/29 17:27:24.0237 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

2010/09/29 17:27:24.0284 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

2010/09/29 17:27:24.0440 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

2010/09/29 17:27:24.0549 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys

2010/09/29 17:27:24.0674 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

2010/09/29 17:27:24.0783 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

2010/09/29 17:27:24.0846 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys

2010/09/29 17:27:24.0955 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

2010/09/29 17:27:25.0064 srv (9a0163e7fbe59da0591bb1ad77d92e63) C:\Windows\system32\DRIVERS\srv.sys

2010/09/29 17:27:25.0470 srv2 (c7da26d2c7d480b1dd38ca19cc90b821) C:\Windows\system32\DRIVERS\srv2.sys

2010/09/29 17:27:25.0641 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys

2010/09/29 17:27:25.0751 STHDA (9cea131b5eb0ea653f6b3ea80b54956d) C:\Windows\system32\drivers\stwrt.sys

2010/09/29 17:27:26.0109 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys

2010/09/29 17:27:26.0187 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2010/09/29 17:27:26.0234 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2010/09/29 17:27:26.0297 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2010/09/29 17:27:26.0437 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys

2010/09/29 17:27:26.0718 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys

2010/09/29 17:27:26.0811 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys

2010/09/29 17:27:26.0874 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

2010/09/29 17:27:26.0983 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

2010/09/29 17:27:27.0045 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys

2010/09/29 17:27:27.0123 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys

2010/09/29 17:27:27.0763 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

2010/09/29 17:27:27.0841 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

2010/09/29 17:27:27.0981 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys

2010/09/29 17:27:28.0106 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

2010/09/29 17:27:28.0387 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys

2010/09/29 17:27:28.0621 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys

2010/09/29 17:27:28.0902 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

2010/09/29 17:27:29.0120 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2010/09/29 17:27:29.0354 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2010/09/29 17:27:29.0417 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

2010/09/29 17:27:29.0541 usbaudio (292a25bb75a568ae2c67169ba2c6365a) C:\Windows\system32\drivers\usbaudio.sys

2010/09/29 17:27:29.0604 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

2010/09/29 17:27:29.0729 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

2010/09/29 17:27:29.0931 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys

2010/09/29 17:27:30.0103 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys

2010/09/29 17:27:30.0212 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys

2010/09/29 17:27:30.0290 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys

2010/09/29 17:27:30.0446 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2010/09/29 17:27:30.0571 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys

2010/09/29 17:27:30.0711 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

2010/09/29 17:27:30.0789 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

2010/09/29 17:27:30.0852 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys

2010/09/29 17:27:31.0133 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

2010/09/29 17:27:31.0304 viaide (c0ace9d0f5a5ee0b00f58345947a57fc) C:\Windows\system32\drivers\viaide.sys

2010/09/29 17:27:31.0476 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys

2010/09/29 17:27:31.0585 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys

2010/09/29 17:27:31.0819 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys

2010/09/29 17:27:31.0991 vpnva (1b7c80c66742dafaa31f98af4c3a5bc2) C:\Windows\system32\DRIVERS\vpnva.sys

2010/09/29 17:27:32.0209 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

2010/09/29 17:27:32.0287 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2010/09/29 17:27:32.0412 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2010/09/29 17:27:32.0490 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2010/09/29 17:27:32.0661 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

2010/09/29 17:27:32.0927 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

2010/09/29 17:27:33.0348 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys

2010/09/29 17:27:33.0785 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

2010/09/29 17:27:33.0909 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys

2010/09/29 17:27:33.0987 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

2010/09/29 17:27:34.0190 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

2010/09/29 17:27:34.0299 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys

2010/09/29 17:27:34.0455 yusbaud32 (a4e441796eb609187a289d3ab432a89d) C:\Windows\system32\drivers\yusbaud32.sys

2010/09/29 17:27:34.0611 ================================================================================

2010/09/29 17:27:34.0611 Scan finished

2010/09/29 17:27:34.0611 ================================================================================

2010/09/29 17:27:45.0173 Deinitialize success

ComboFix 10-09-29.01 - Lauren and Ben 09/29/2010 17:36:19.1.2 - x86

Microsoft

Link to post
Share on other sites

Please do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

DDS:

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

File::

c:\users\Lauren and Ben\AppData\Local\Xhatobere.dat

c:\users\Lauren and Ben\AppData\Local\Ididuqa.bin

Folder::

c:\users\Lauren and Ben\AppData\Local\wqmcfcyxg

c:\users\Lauren and Ben\AppData\Local\tpjdfixey

c:\users\Lauren and Ben\AppData\Local\yosefyxux

c:\users\Lauren and Ben\AppData\Local\docefpwlv

c:\users\Lauren and Ben\AppData\Local\iomefgwcu

c:\users\Lauren and Ben\AppData\Local\kbrefpkkg

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

I just noticed that the TBIA Access Denied window was open again behind the ComboFix log. I'm not sure if that is significant.

TBIA Access Denied There's many possibilities for this, if this was the only time it's happened....I wouldn't be too concerned.

Google TBIA Access Denied and you find lots of info.

-------------------------------------

Please post a HJT log of the system:

You can download the HJT installer HERE:

Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.

Copy and paste it into your post.

MrC

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:29:41 AM, on 9/30/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18498)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Windows\System32\M-AudioTaskBarIcon.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Windows\sttray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Windows\System32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100929175943.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: VPN Client.lnk = ?

O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - WIBU-SYSTEMS AG - C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 9010 bytes

Link to post
Share on other sites

Have HJT fix this one:

Run HJT and

[*] Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

Click on Fix Checked when finished and exit HijackThis.

-------------------------

Reboot and run another scan to see if this entry is gone, if not let me know.

BTW: How is it running? Any improvement?

MrC

Link to post
Share on other sites

I haven't noticed any more virus/malware type issues yet but I don't think defogger reenabled the CD emulation stuff correctly. I have a U3 thumbdrive that use a partition that looks like a CD drive and autorun to launch it's little OS. I haven't been able to run it ever since I used defogger. below are bothe the defogger logs.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 07:27 on 28/09/2010 (Lauren and Ben)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

defogger_enable by jpshortstuff (23.02.10.1)

Log created at 12:40 on 30/09/2010 (Lauren and Ben)

Parsing file...

-=E.O.F=-

Any ideas?

Link to post
Share on other sites

I understand that autorun can be used in a malicious way but it seems to be the only way to get the U3 Launchpad to work. Can you give me instructions on how to turn autorun on and off so I can decide for myself how to have it set?

Are there other settings/features changed by the tools we ran that they don't alert the user to?

Link to post
Share on other sites

The fact that ComboFix disables autorun is mentioned in my original instructions to run ComboFix:

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

-------------------------------

See if this guide helps, it's for disable so you'll be doing the opposite:

http://www.howtogeek.com/howto/windows-vis...-windows-vista/

Let me know, MrC

Link to post
Share on other sites

It seems like everything is cleared up. we haven't had any redirections or other weirdness since running combofix the last time.

I never did get autorun to come back on but I can work around it. Turns out that U3 is a dead platform and has been replaced by something similar that doesn't require autorun so I guess it's OK. It would be nice if comboFix exposed what voodoo it pulls to disable it since it is not the windows settings or the readily known registry settings but again, I'm giving up on it for my machine.

Is there anything special I should do when removing the tools from my desktop or just uninstall them like any other program?

Thanks for all your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.