Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Redirect Virus To harmful & unwanted site

Started by JasonLt , May 03 2011 02:42 AM

This topic is locked

#1
JasonLt

Posted 03 May 2011 - 02:42 AM

New Member

Member
5 posts

Hi (Above all else),
Its been a couple of days that that I've notice that i started being redirected to random sites and that i had to click the desired link about 3-4 times before i got where i wanted to go. Also at times whilst browsing, a Firefox pop up with a my computer screen (webpage) will show that i got a virus and will start scanning (its bogus) and I've always cancelled it. Obviously the system slowdown as well as at times my PC wouldn't start up properly as in "no start menu". I've got Malwarebytes which i've updated and used as well as mcafee but for some reason i feel its in fact getting worst.

Here's a copy of the HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:26:42 PM, on 5/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT2776682
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [GateWay] C:\Program Files\Gravity\Gateway\GateWayMain.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

--
End of file - 7931 bytes

Thank you for your time.
~Jason.

#2
heir

Posted 03 May 2011 - 05:17 AM

Trusted Helper

Malware Removal
5,427 posts

HiJackThis is obsolete.
We need to use other tools.

Step 1.
DDS:

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Step 2.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Step 3.
GMER:

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Disable your onboard Anti Virus and any other Active protection programs you have installed. If you are unsure how to do this, see this link.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please note:

If (and only if) there are problems using gmer as indicated above, run the scan with ONLY the Sections and C drive boxes ticked.

Click the image to enlarge it

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click the gmer.exe file.
The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No, then select ONLY the Sections and C drive boxes. Click on Scan and wait for it to finish.
Click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply

Step 4.
Things I would like to see in your reply:

The content of DDS.txt from step 1. and Attach.txt attached.
The content of the log from aswMBR in step 2.
The content of the log from GMER in step 3.

#3
JasonLt

Posted 04 May 2011 - 02:04 AM

New Member

Topic Starter
Member
5 posts

I Apologize for the late reply, been at work all day long but there they are:-

1a.

Attach.txt 15.44KB 151 downloads

1b. DDS Contents:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jason at 23:45:03.43 on Tue 05/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2269 [GMT 10:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jason\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT2776682
uSearch Page =
uSearch Bar =
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [GateWay] c:\program files\gravity\gateway\GateWayMain.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\eewmp6fq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft Choice Guard: ChoiceGuard@Microsoft - %profile%\extensions\ChoiceGuard@Microsoft
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-12 342128]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-4-9 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-4-9 144888]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-4-9 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-6-12 70216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-12 91640]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-12 43288]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-4-29 119272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-3 135664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-4-29 2218600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-3 135664]
S3 IMNPF;WinPcap Packet Driver (IMNPF);c:\windows\system32\drivers\imnpf.sys [2009-12-20 27392]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2010-6-10 16128]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-12 65224]
S3 XDva365;XDva365;\??\c:\windows\system32\xdva365.sys --> c:\windows\system32\XDva365.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\xdva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\xdva385.sys --> c:\windows\system32\XDva385.sys [?]
.
=============== Created Last 30 ================
.
2011-05-03 08:26:14 388096 ----a-r- c:\docume~1\jason\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-03 08:26:13 -------- d-----w- c:\program files\Trend Micro
2011-04-29 11:33:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2011-04-29 11:30:47 -------- d-----w- C:\NVIDIA
2011-04-29 11:11:29 41984 ----a-w- c:\documents and settings\jason\~WebUpdateHelper.exe
2011-04-29 10:53:33 -------- d-----w- c:\program files\Phyxion.net
2011-04-25 04:12:35 -------- d-----w- c:\docume~1\jason\locals~1\applic~1\PMB Files
2011-04-25 04:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2011-04-19 03:37:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-19 03:37:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 17:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-13 17:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-07 12:15:38 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-07 12:15:38 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-07 12:15:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-07 12:15:34 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-07 12:15:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-07 12:15:32 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-07 12:15:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
.
==================== Find3M ====================
.
2011-04-29 11:31:36 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-04-29 11:31:36 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-04-29 11:31:30 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-04-08 05:14:00 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-04-08 05:14:00 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-04-08 05:14:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-08 05:14:00 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-04-08 05:14:00 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-08 05:14:00 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-04-08 05:14:00 2116894 ----a-w- c:\windows\system32\nvdata.bin
2011-04-08 05:14:00 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-04-08 05:14:00 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 05:14:00 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-04-08 05:14:00 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 15:59:23 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-03-03 15:59:16 837224 ----a-w- c:\windows\system32\nvhdagenco322040.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAC -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-1b
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF1F4F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af257d0]; MOV EAX, [0x8af2584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AF5BAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007a[0x8AF919E8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF8F940]
\Driver\atapi[0x8AF508C0] -> IRP_MJ_CREATE -> 0x8AF1F4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AF1F33B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:45:49.98 ===============

2. aswMBR Contents:

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-03 23:48:56
-----------------------------
23:48:56.578 OS Version: Windows 5.1.2600 Service Pack 3
23:48:56.578 Number of processors: 4 586 0x170A
23:48:56.578 ComputerName: JASON-E31898904 UserName: Jason
23:48:56.875 Initialize success
23:48:58.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-1b
23:48:58.421 Disk 0 Vendor: ST3320620AS 3.AAC Size: 305245MB BusType: 3
23:48:58.421 Device \Driver\atapi -> DriverStartIo 8af1f33b
23:49:00.421 Disk 0 MBR read successfully
23:49:00.421 Disk 0 MBR scan
23:49:00.421 Disk 0 TDL4@MBR code has been found
23:49:00.421 Disk 0 Windows XP default MBR code found via API
23:49:00.421 Disk 0 MBR hidden
23:49:00.421 Disk 0 MBR [TDL4] **ROOTKIT**
23:49:00.421 Disk 0 trace - called modules:
23:49:00.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8af1f4f0]<<
23:49:00.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af5bab8]
23:49:00.421 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000007a[0x8af919e8]
23:49:00.421 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> [0x8af8f940]
23:49:00.421 \Driver\atapi[0x8af508c0] -> IRP_MJ_CREATE -> 0x8af1f4f0
23:49:00.421 Scan finished successfully
23:49:32.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jason\Desktop\MBR.dat"
23:49:32.406 The log file has been saved successfully to "C:\Documents and Settings\Jason\Desktop\aswMBR.txt"

3. Contents of GMER:

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 17:56:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort3 ST3320620AS rev.3.AAC
Running: gmer.exe; Driver: C:\DOCUME~1\Jason\LOCALS~1\Temp\pgxdipod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB7DBD238]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB7DBD0F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB7DBD090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB7DBD0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7DBD10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7DBD136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB7DBD1A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB7DBD18E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB7DBD1BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7DBD278]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB7DBD1E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB7DBD0E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7DBD054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB7DBD068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB7DBD24C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB7DBD222]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB7DBD178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB7DBD162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB7DBD120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB7DBD20E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB7DBD1FA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB7DBD0CE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB7DBD0BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7DBD14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7DBD2A7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB7DBD1D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7DBD28E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7DBD262]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B7DBD266 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 805790A8 5 Bytes JMP B7DBD23C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B7DBD27C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B7DBD292 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B841E 7 Bytes JMP B7DBD250 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B7DBD058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B7DBD06C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE8A 5 Bytes JMP B7DBD0BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B7DBD0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP B7DBD094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D173A 5 Bytes JMP B7DBD0D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B7DBD2AB mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80622314 7 Bytes JMP B7DBD166 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B7DBD150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 8062298C 7 Bytes JMP B7DBD1D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062323E 7 Bytes JMP B7DBD17C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B7DBD124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B7DBD0FA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B7DBD10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B7DBD13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8062493C 7 Bytes JMP B7DBD1A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624BA6 7 Bytes JMP B7DBD192 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B7DBD0E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80625810 7 Bytes JMP B7DBD226 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625AD0 5 Bytes JMP B7DBD1FE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 80625F20 7 Bytes JMP B7DBD1BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806261C4 5 Bytes JMP B7DBD212 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806262DE 5 Bytes JMP B7DBD1EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5ECA3A0, 0x83C195, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA58A9A00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F72
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00A9
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF008C
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00F0
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00DF
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F3C
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F61
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00BA
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800F97
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A0, 88]
.text C:\WINDOWS\system32\svchost.exe[472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800FCD
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0F8B
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FA6
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FC1
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0016
.text C:\WINDOWS\system32\svchost.exe[472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\system32\svchost.exe[472] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 007E0025
.text C:\WINDOWS\system32\svchost.exe[472] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[472] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 007E0FE3
.text C:\WINDOWS\system32\svchost.exe[472] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 007E0036
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01220FE5
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01220F79
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0122006E
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01220F94
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01220047
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0122001B
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01220090
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0122007F
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012200BC
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012200AB
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01220F12
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01220036
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01220FD4
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01220F54
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01220FB9
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\services.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01220F2D
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0121004A
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01210FA1
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01210FEF
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0121001B
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01210FB2
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01210000
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01210FCD
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [41, 89]
.text C:\WINDOWS\system32\services.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01210FDE
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01200FD2
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 01200053
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01200038
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01200000
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01200FE3
.text C:\WINDOWS\system32\services.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0120001D
.text C:\WINDOWS\system32\services.exe[996] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 011F000A
.text C:\WINDOWS\system32\services.exe[996] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 011F0FEF
.text C:\WINDOWS\system32\services.exe[996] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 011F0025
.text C:\WINDOWS\system32\services.exe[996] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 011F0042
.text C:\WINDOWS\system32\services.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F52
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70047
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70F8D
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70EFF
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70F26
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E70EC2
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70ED3
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E70076
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E70014
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E70F37
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E70F9E
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\lsass.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E70EEE
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E60036
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E60080
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\lsass.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E5005F
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E5004E
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50018
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50033
.text C:\WINDOWS\system32\lsass.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\lsass.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[1008] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\lsass.exe[1008] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\lsass.exe[1008] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00DC001D
.text C:\WINDOWS\system32\lsass.exe[1008] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50027
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50016
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F3C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F57
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50F83
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50EE9
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50EFA
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50082
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50067
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50EC4
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50F72
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F17
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D5004C
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40051
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40FB9
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88]
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40040
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30055
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30044
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30029
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30018
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00800042
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F68
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F3005D
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F3002F
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F1F
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F30
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F3009A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30089
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F300B5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30F97
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F4D
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30078
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F2002C
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20FC0
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F20062
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20051
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10FB4
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1003F
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F1002E
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FD9
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F1001D
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00F0003D
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800058
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800F63
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F80
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F91
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0080009F
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800084
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000DC
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000C1
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800F28
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800069
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FCA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008000B0
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D002F
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D0F8A
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0FDE
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D0051
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007D0040
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0FB9
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0051
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FC6
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C001B
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FE3
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007A0000
.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\svchost.exe[1444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0080000C
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05820000
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05820F30
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05820025
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05820F4B
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05820F68
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05820F9E
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05820F15
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0582005B
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05820ED5
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05820EFA
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05820089
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05820F83
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05820FE5
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0582004A
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05820FC3
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05820FD4
.text C:\WINDOWS\System32\svchost.exe[1444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05820078
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 053B001B
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 053B004E
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 053B0FCA
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 053B000A
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 053B003D
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 053B0FEF
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 053B002C
.text C:\WINDOWS\System32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 053B0FA5
.text C:\WINDOWS\System32\svchost.exe[1444] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 053A0022
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!system 77C293C7 5 Bytes JMP 053A0F97
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 053A0011
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 053A0FE3
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 053A0FBC
.text C:\WINDOWS\System32\svchost.exe[1444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 053A0000
.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 02660025
.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 02660000
.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 02660036
.text C:\WINDOWS\System32\svchost.exe[1444] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 02660FEF
.text C:\WINDOWS\System32\svchost.exe[1444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02650FEF
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030F68
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0103005D
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01030F83
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030040
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030FB9
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030089
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F4D
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010300C9
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F30
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F1F
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030F94
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030FE5
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01030078
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FCA
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030025
.text C:\WINDOWS\system32\wuauclt.exe[1572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010300A4
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0101003D
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010022
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010011
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010FBC
.text C:\WINDOWS\system32\wuauclt.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020011
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01020F94
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020FCA
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020051
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0102002C
.text C:\WINDOWS\system32\wuauclt.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020FA5
.text C:\WINDOWS\system32\wuauclt.exe[1572] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 01000FEF
.text C:\WINDOWS\system32\wuauclt.exe[1572] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 0100000A
.text C:\WINDOWS\system32\wuauclt.exe[1572] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 01000FDE
.text C:\WINDOWS\system32\wuauclt.exe[1572] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 01000031
.text C:\WINDOWS\system32\wuauclt.exe[1572] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009B0098
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009B007D
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B006C
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009B0FAF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009B0040
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009B00BA
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009B00A9
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009B0F4D
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009B00E6
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009B0101
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009B0051
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009B0FDE
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009B0F7E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009B002F
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009B001E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009B00CB
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009A0062
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009A0FDB
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009A0047
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009A0036
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009A0FAF
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800027
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800F9C
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FC8
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FB7
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0080000C
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 007F0038
.text C:\WINDOWS\system32\svchost.exe[1628] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 007F0049
.text C:\WINDOWS\system32\svchost.exe[1628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B70097
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B70086
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70069
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B7004E
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B70033
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B700D4
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B700C3
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B700F6
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70F67
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B7011B
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B70FB6
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B700B2
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B70022
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[1764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B700E5
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800065
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00800054
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00800043
.text C:\WINDOWS\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0031
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FA6
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FD2
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FB7
.text C:\WINDOWS\system32\svchost.exe[1764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F000C
.text C:\WINDOWS\system32\svchost.exe[1764] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1764] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1764] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1764] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 007E0FAD
.text C:\WINDOWS\system32\svchost.exe[1764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[1896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\Explorer.EXE[1896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A
.text C:\WINDOWS\Explorer.EXE[1896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FE000C
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30000
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D3007D
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3006C
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D3005B
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30F9E
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30040
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D3009F
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D3008E
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30F17
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300BA
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300CB
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D30025
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30F63
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\Explorer.EXE[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F3C
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20065
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20025
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D2004A
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20000
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20FA8
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\Explorer.EXE[1896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FC3
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D1004C
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FC1
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FD2
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10027
.text C:\WINDOWS\Explorer.EXE[1896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D1000C
.text C:\WINDOWS\Explorer.EXE[1896] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\Explorer.EXE[1896] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 00D00000
.text C:\WINDOWS\Explorer.EXE[1896] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00D00011
.text C:\WINDOWS\Explorer.EXE[1896] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\Explorer.EXE[1896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01680FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01680039
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01680F44
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01680F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01680F72
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01680F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01680F11
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01680F22
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01680EC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01680ED1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01680EA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01680F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01680FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01680F33
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01680FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0168000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01680EEC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00810FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810F79
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0081001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810F8A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0080004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800033
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800018
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 007F0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 007F0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 007F0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2592] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 007F002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00830FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00830064
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00830053
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00830F79
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00830F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00830FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00830F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00830F5E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008300BA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00830F21
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008300CB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00830036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00830FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0083007F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0083001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00830000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00830F32
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00820FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00820F97
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0082002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00820FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00820FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00820000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00820FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A2, 88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0082004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00810FB7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!system 77C293C7 5 Bytes JMP 00810FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0081001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00810FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00810038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0081000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] WININET.dll!InternetOpenW 771BAF55 5 Bytes JMP 0080001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] WININET.dll!InternetOpenA 771C57A6 5 Bytes JMP 0080000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] WININET.dll!InternetOpenUrlA 771C5A72 5 Bytes JMP 00800036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3408] WININET.dll!InternetOpenUrlW 771D5BC2 5 Bytes JMP 00800FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8AEDC33B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-1b 8AEDC33B

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#4
heir

Posted 04 May 2011 - 02:20 AM

Trusted Helper

Malware Removal
5,427 posts

I Apologize for the late reply, been at work all day long but there they are:-

No need to apologize. We are in different timezones.

Looks as a MBR-infection.

What brand and model is that computer?

Step 1.
MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 2.
Things I would like to see in your reply:

Answer to the question in the beginning of this post.
The content of the log from MBRCheck in step 2.

#5
JasonLt

Posted 04 May 2011 - 03:12 AM

New Member

Topic Starter
Member
5 posts

Thanks Again for the quick reply:

1. This is a little bit tricky since I built it myself but here's the things i can tell you about it:
1. Formula Maximus, Special Edition MB, Asus
2. Intel® Core™2 Quad CPU, Q9550 @ 2.83GHz
I know it might be a pain it he neck and this might not be what you're looking for, so please feel free to ask (Specifics)

2. MBRCheck Contents:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 127):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x8AE7D000 \WINDOWS\system32\KDCOM.DLL
0xB84BC000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AA000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEB000 fltmgr.sys
0xB7ED9000 sr.sys
0xB8118000 PxHelp20.sys
0xB7EC2000 KSecDD.sys
0xB7E35000 Ntfs.sys
0xB7E08000 NDIS.sys
0xB7DEE000 Mup.sys
0xB7D9C000 mfehidk.sys
0xB8168000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB5ECA000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB5EB6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB5E8E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8408000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB5E6A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8410000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB5E24000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xB8208000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8218000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8228000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB5E01000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8418000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB8420000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB85E2000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB8428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB87FC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8248000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8558000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB5DEA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8258000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB7B12000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8448000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB555A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB6AE7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB4E87000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB4E7F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xAE45A000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB3879000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB4E77000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB866A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xAE3FC000 \SystemRoot\system32\DRIVERS\update.sys
0xB50FB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xA84F2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA5965000 \SystemRoot\system32\drivers\nvhda32.sys
0xA5943000 \SystemRoot\system32\drivers\portcls.sys
0xA84E2000 \SystemRoot\system32\drivers\drmk.sys
0xA84D2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB8628000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA58CB000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA58B1000 \SystemRoot\system32\drivers\AEAudio.sys
0xA5851000 \SystemRoot\system32\drivers\Senfilt.sys
0xA7F5C000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB862C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA800C000 \SystemRoot\System32\Drivers\Null.SYS
0xB862E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA84B2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xA7EA3000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA7E9B000 \SystemRoot\System32\drivers\vga.sys
0xB8638000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB863A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA7E93000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA7E8B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA7EF3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA581E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA57C5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA579F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA809E000 \SystemRoot\system32\drivers\mfetdik.sys
0xA806E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA5777000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA805E000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA5755000 \SystemRoot\System32\drivers\afd.sys
0xA804E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA572A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA56BA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA802E000 \SystemRoot\System32\Drivers\Fips.SYS
0xB863E000 \SystemRoot\system32\drivers\AsIO.sys
0xAEC42000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA7C8A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAEC3A000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA7C7A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7BB7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA7C6A000 \SystemRoot\system32\drivers\usbaudio.sys
0xB8560000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA56A2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xAEF65000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8578000 \SystemRoot\System32\drivers\Dxapi.sys
0xB37D9000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB876B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD3FE000 \SystemRoot\System32\ATMFD.DLL
0xAF24A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA40F2000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE4EA000 \SystemRoot\system32\drivers\sysaudio.sys
0xA3D22000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA3BB2000 \SystemRoot\system32\DRIVERS\srv.sys
0xA3A9E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA377E000 \SystemRoot\system32\drivers\mfebopk.sys
0xA371D000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA3708000 \SystemRoot\system32\drivers\mfeavfk.sys
0xA345A000 \SystemRoot\System32\Drivers\HTTP.sys
0xA3078000 \??\C:\DOCUME~1\Jason\LOCALS~1\Temp\pgxdipod.sys
0xA3C32000 \SystemRoot\System32\Drivers\usbaapl.sys
0xA3A92000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):
0 System Idle Process
4 System
832 C:\WINDOWS\system32\smss.exe
924 csrss.exe
952 C:\WINDOWS\system32\winlogon.exe
996 C:\WINDOWS\system32\services.exe
1008 C:\WINDOWS\system32\lsass.exe
1184 C:\WINDOWS\system32\nvsvc32.exe
1216 C:\WINDOWS\system32\svchost.exe
1284 svchost.exe
1444 C:\WINDOWS\system32\svchost.exe
1628 svchost.exe
1764 svchost.exe
1896 C:\WINDOWS\explorer.exe
1996 C:\WINDOWS\system32\spoolsv.exe
400 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
408 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
432 C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
440 C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
476 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
512 C:\Program Files\Analog Devices\Core\smax4pnp.exe
528 C:\Program Files\iTunes\iTunesHelper.exe
536 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
544 C:\Program Files\Common Files\Java\Java Update\jusched.exe
552 C:\WINDOWS\system32\rundll32.exe
584 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
620 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
1400 svchost.exe
1528 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
196 C:\Program Files\Bonjour\mDNSResponder.exe
1828 C:\Program Files\Java\jre6\bin\jqs.exe
772 C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
2592 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
3332 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
3396 C:\WINDOWS\system32\mfevtps.exe
3408 naPrdMgr.exe
3560 daemonu.exe
3780 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
472 C:\WINDOWS\system32\svchost.exe
284 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
1572 C:\WINDOWS\system32\wuauclt.exe
1668 C:\Program Files\McAfee\Common Framework\McTray.exe
1700 mfeann.exe
3800 C:\Program Files\iPod\bin\iPodService.exe
1548 alg.exe
1892 C:\WINDOWS\system32\wuauclt.exe
1744 C:\Program Files\Mozilla Firefox\firefox.exe
2316 C:\Program Files\Mozilla Firefox\plugin-container.exe
1240 C:\WINDOWS\system32\wuauclt.exe
2704 C:\WINDOWS\system32\notepad.exe
1976 C:\WINDOWS\system32\rundll32.exe
2540 C:\Documents and Settings\Jason\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000027`0fef5800 (NTFS)

PhysicalDrive0 Model Number: ST3320620AS, Rev: 3.AAC

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

#6
heir

Posted 04 May 2011 - 03:34 AM

Trusted Helper

Malware Removal
5,427 posts

This is a little bit tricky since I built it myself but here's the things i can tell you about it:

Self built is enough, then it uses standard MBR.

Let's start fixing things then.

Step 1.
MBR backup:

Open notepad and copy/paste the text in the codebox below into it:

MBRCheck -s 0 -d MBRbckp.dat
del %0

Save this as bmbr.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image

Double click on bmbr.bat & allow it to run

A file MBRbckp.dat will be created on your desktop.
Zip MBRbckp.dat and attach that zipped file in a reply.

Don't proceed until you've done the above.

When done do next step.

Step 2.
aswMBR-fix:

Close all applications

Run aswMBR and Click Scan

On completion of the scan, click the Fix - button

Posted Image

When prompted to restart click Yes

Rerun aswMBR and save the log as before and post in your next reply

Edited by heir, 04 May 2011 - 03:36 AM.
typo

#7
JasonLt

Posted 04 May 2011 - 03:59 AM

New Member

Topic Starter
Member
5 posts

Hi Heir,

Something strange happened, when i did part 2, i didn't get the notification or the prompt, it just froze and stayed like that (couldn't even go to task manager), i had to force restart the pc, but i didn't see any red writings when i re-ran it when it rebooted (PC loaded a whole lot faster as well).

1.

MBR.zip 551bytes 127 downloads

2. aswMBR Contents

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-04 19:53:06
-----------------------------
19:53:06.687 OS Version: Windows 5.1.2600 Service Pack 3
19:53:06.687 Number of processors: 4 586 0x170A
19:53:06.687 ComputerName: JASON-E31898904 UserName: Jason
19:53:07.265 Initialize success
19:53:11.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-1b
19:53:11.218 Disk 0 Vendor: ST3320620AS 3.AAC Size: 305245MB BusType: 3
19:53:13.218 Disk 0 MBR read successfully
19:53:13.218 Disk 0 MBR scan
19:53:13.218 Disk 0 Windows XP default MBR code
19:53:15.234 Disk 0 scanning sectors +625121280
19:53:15.250 Disk 0 scanning C:\WINDOWS\system32\drivers
19:53:19.109 Service scanning
19:53:19.921 Disk 0 trace - called modules:
19:53:19.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:53:19.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aeffab8]
19:53:19.921 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000007a[0x8af009e8]
19:53:19.921 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-1b[0x8af79d98]
19:53:19.921 Scan finished successfully
19:53:46.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jason\My Documents\MBR.dat"
19:53:46.671 The log file has been saved successfully to "C:\Documents and Settings\Jason\My Documents\aswMBR.txt"

#8
heir

Posted 04 May 2011 - 11:35 AM

Trusted Helper

Malware Removal
5,427 posts

Something strange happened, when i did part 2, i didn't get the notification or the prompt, it just froze and stayed like that (couldn't even go to task manager), i had to force restart the pc

Forgot to mention that this could happen.
The MBR is fixed.

Let's move on removing leftovers.

Step 1.
Clean temp locations:

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

Launch Malwarebytes' Anti-Malware.
Update Malwarebytes' Anti-Malware.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

The content of the report from MBAM from Step 2.
The content of the report from ESET Online Scanner from Step 3.
Information on how the computer is running after those steps.

#9
JasonLt

Posted 05 May 2011 - 03:45 AM

New Member

Topic Starter
Member
5 posts

Hi Heir,
Once again, just finished work but hey, here's the results.

1. MBAM Contents:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6511

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/5/2011 6:08:48 PM
mbam-log-2011-05-05 (18-08-48).txt

Scan type: Quick scan
Objects scanned: 169152
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Jason\~webupdatehelper.exe (Trojan.Agent) -> Quarantined and deleted successfully.

2. ESET Contents
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=388aee6791a2c64a851a9dd01ea987aa
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-05 09:36:02
# local_time=2011-05-05 07:36:02 (+1000, AUS Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=130945
# found=1
# cleaned=1
# scan_time=4303
C:\Documents and Settings\Jason\Application Data\OpenCandy\OpenCandy_6DD981768A914CFDB6ED68147C75763E\registrybooster(3).exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

3. Improvements
-It's no longer redirecting to random sites, auto clicking & bogus virus scanning.
-It's shutting down/rebooting properly
-It's fast again!
-Mate, You're a Legend, in fact so much of one that I'm going to apply to be one of your apprentice until I graduate!

It looking great Heir & I really appreciate your help. Now it doesn't do any of those bogus stuff. Just let me know if there's anything else that i can do and if i may ask you, how did i get the MBR-infection?

#10
heir

Posted 05 May 2011 - 04:11 AM

Trusted Helper

Malware Removal
5,427 posts

how did i get the MBR-infection?

There are numerous ways to get infected. To take preventive steps and be aware of where you go on Internet and what external media you hook up to your computer.
Some info on it below.

Hey there, JasonLt !

OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.
Clean up:

First:
We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.

Second:
Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to download an update.

http://www.adobe.com.../readstep2.html

Remove the older versions and install the latest,

Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

Click Start.
Select Settings and then Control Panel.
Select Automatic Updates.
Click Automatic (recommended)
Choose a day and a time when you know the computer will be on and connected to the Internet.
Click Apply then OK.

Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.

.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

Comodo is a free fully functional firewall
Online Armor (Free edition) personal firewall

Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

avast! Free Edition an excellent free AV.
AVG Anti-Virus Free Edition is free for personal use.
Avira AntiVir PersonalEdition, yet another good free AV.

Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

Trillian or,
Miranda-IM

Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

#11
heir

Posted 09 May 2011 - 04:23 AM

Trusted Helper

Malware Removal
5,427 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.