Search results being redirected, could not post to spybot forum from infected pc

[tbinder]

I haven't had many computer issues in the past so this is the first time I've had to come to a forum for help so please be patient with me as I am not exactly computer savvy. I have just recently started having problems with search results being redirected, not all searches but most and it seems to be getting worse. I just recently installed Mcafee Antivirus and to my suprise the problem seems to have gotten worse. I installed Malwarebytes antimalware as well as spybot search and destroy and performed a scan with both before finding these forums, scans have not changed the performance issues. I attempted to follow the steps in the FAQ before starting this post, downloaded ERUNT but when I go to check system registry only I get an error message that the file does not exist and asks if I want to create it? I also went to post to this forum from the infected pc and keep getting an error message that internet explorer cannot display the webpage but I have other tabs open that are still functioning fine. Please let me know if I need to include any additional details, like I said this is new to me, I just want to get these issues fixed and try to prevent in the future. Appreciate any assistance!!

DDS (Ver_10-11-10.01) - NTFSx86
Run by Teresa at 20:41:59.34 on Tue 11/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\P7ZBO9HT\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: @Û - No File
BHO: rsion - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101105221642.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: ¸?Û - No File
BHO: ø@Û - No File
BHO: ˆ?Û - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
mRun: [EPSON Stylus CX7800 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [ohewekyr] c:\windows\temp\wgejfberh\teurduqtsbl.exe
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.library.icc.edu/lib/illcencol/support/plugins/ebraryRdr.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102w.bay102.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141084118537
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-5 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-5 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-5 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-5 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-5 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-5 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-5 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-5 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-5 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-8-16 14336]

=============== Created Last 30 ================

2010-11-13 02:08:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 02:08:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 02:04:23 -------- d-----w- c:\docume~1\teresa\applic~1\Malwarebytes
2010-11-13 02:04:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 02:04:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 02:04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 02:04:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-06 02:58:24 -------- d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-10-14 03:28:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-08 02:03:12 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-08 02:03:10 104 --sh--r- c:\windows\system32\4BC96202A9.sys
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A982446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a988504]; MOV EAX, [0x8a988580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9B2AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A9B47E8]
\Driver\atapi[0x8AA17350] -> IRP_MJ_CREATE -> 0x8A982446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A982292
user != kernel MBR !!!
sectors 312499998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:45:02.47 ===============

[JonTom]

Hello tbinder and

My name is JonTom

• Malware Logs can sometimes take a lot of time to research and interpret.
  
• Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  
• Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  
• PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

please be patient with me as I am not exactly computer savvy

Don't worry. If there is anything you do not understand or are unsure about just ask - its what I am here for.

When you ran DDS were two logs produced? You posted DDS.txt (the main log) but there should also have been a second log created called attach.txt. If you have the attach.txt please post it in your next reply.

Before we do any fixing I would like to see the results of an ARK scan.

could not post to spybot forum from infected pc

If you cannot establish a stable connection from the infected machine, please download the required tools using a clean (uninfected) system and transfer them to the infected machine, either by burning them to disk or by using a flash drive (USB memory stick).

If you choose to use a USB stick, please run the following program to minimise the chances of cross-infection:

1. Please download Flash Disinfector
   
   
   
   • Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
   • Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
   • The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
   • Wait until Flash disinfector has finished scanning and then exit the program.
   • Reboot your computer.
   
   
   Once you have done this, please do the following:
   
   
2. Please scan your system with GMER
   
   
   
   Download GMER Rootkit Scanner from here or here.
   
   • Extract the contents of the zipped file to desktop.
   • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
   • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
   • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
     • IAT/EAT
     • Drives/Partition other than Systemdrive (typically C:\)
     • Show All (don't miss this one)
   • Then click the Scan button & wait for it to finish.
   • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
     
   • Save it where you can easily find it, such as your desktop, and post it in your reply.
   
   
   **Caution**
   Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
   
   Please post the GMER log in your next reply. If you encounter any difficulties getting the scan to complete come back and let me know.

[tbinder]

Ok, I hope I have done this correctly, I am attaching the dds log that I initially left off. Below is the GMER text after the scan completed. I should also tell you that my husband, in an attempt to help, downloaded and scanned with ccleaner, thought you would probably need to know moving forward. I told him no more helping, I hope that doesn't cause any issues and if it does I apologize. Please let me know if I haven't included what you need or if I have pasted/attached incorrectly. Thanks again, Teresa

Below is the first portion of the GMER text, wouldn't fit all in one post, rest to follow.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 20:30:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\Teresa\LOCALS~1\Temp\uftdqpob.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E970E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E970F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E97120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E97176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E970CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E970A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E970B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E9710A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E9714C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E97136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E971A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E9718C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E97160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E97164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B9E9717A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B9E97190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP B9E97150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B9E970A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP B9E970BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B9E971A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP B9E9713A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B9E9710E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP B9E970E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B9E970F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B9E97124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP B9E970D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA3E3760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DE0FDB
.text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F8B
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F9C
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0080
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0FC3
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD00CC
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0F7A
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F44
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD0F69
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD0102
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD0065
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0014
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD00A5
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD002F
.text C:\WINDOWS\system32\svchost.exe[304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD00DD
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0087
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC002C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC006C
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88]
.text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0051
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0042
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0027
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FC8
.text C:\WINDOWS\system32\svchost.exe[304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FE3
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA0FDB
.text C:\WINDOWS\system32\svchost.exe[304] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB009A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB007D
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F77
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00F5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00E4
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F37
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00B5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F66
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC6
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FE3
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\explorer.exe[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FDB
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0073
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D002C
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0062
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0FCA
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\explorer.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0051
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002E0047
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 002E0FBC
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002E0FD7
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002E0000
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002E002C
.text C:\WINDOWS\explorer.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002E0011
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02B30FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02B30025
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02B30014
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F9000C
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B20000
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B2006E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B20F79
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B20F94
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B20FA5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B20047
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B20F43
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B20095
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B20EFC
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B20F17
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B20EE1
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B20FB6
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B2001B
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B20F5E
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B20036
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B20FE5
.text C:\WINDOWS\system32\wuauclt.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B20F32
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B0003D
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B00FBC
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B00011
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B00FE3
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B0002C
.text C:\WINDOWS\system32\wuauclt.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B00000
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02B10025
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02B10FAF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02B10FDE
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02B10FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02B10076
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02B1000A
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02B10065
.text C:\WINDOWS\system32\wuauclt.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02B1004A
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02AE0000
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02AE0FEF
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02AE0FCA
.text C:\WINDOWS\system32\wuauclt.exe[844] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02AE001B
.text C:\WINDOWS\system32\wuauclt.exe[844] WS2_32.dll!socket

[tbinder]

.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\services.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F5C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2B
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EEE
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0EFF
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EDD
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\services.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0038
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FB7
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FE3
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0027
.text C:\WINDOWS\system32\services.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD2
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\services.exe[1092] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\services.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA002C
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F5C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F79
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E9007D
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F41
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900C4
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900A9
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900D5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90098
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010F0FDE
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010F0F9E
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010F002F
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010F0014
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010F005B
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010F0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010F004A
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010F0FB9
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010E0FB4
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 010E003F
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010E001D
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010E002E
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010E0FE3
.text C:\WINDOWS\system32\lsass.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\lsass.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02570FDE
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0256007F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560F9B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560058
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0256002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02560F4D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F5E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025600C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02560F21
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600D5
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F6F
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560011
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02560F3C
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025B0FB9
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025B0F68
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025B0FE5
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025B0F79
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025B0000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025B0025
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025B0F9E
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025A0F97
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 025A0022
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025A0FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025A0011
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025A0FD7
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02580000
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0258001B
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02580FE5
.text C:\WINDOWS\system32\svchost.exe[1356] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02580036
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02590000
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F10014
.text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F44
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F55
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F7C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F8D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00060
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00F0E
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F0008C
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00EF3
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F0009D
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FB2
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F29
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FDE
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F0002F
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00071
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FD1
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50F87
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5004E
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F50FAC
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [15, 89]
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F5003D
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40F97
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40022
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40FBC
.text C:\WINDOWS\system32\svchost.exe[1544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FE3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F20FC3
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00F2001E
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 031D0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 031D0FCD
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 031D0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A9000C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031C0FE5
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031C0F55
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031C0F70
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031C0F97
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031C004A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031C0FB2
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031C008C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031C0F44
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031C00B8
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031C0F29
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031C00DD
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031C0039
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031C0FD4
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031C0065
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031C0FC3
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031C000A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031C00A7
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03210FCA
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03210062
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0321001B
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03210FE5
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03210051
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03210000
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03210FAF
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [41, 8B]
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03210036
.text C:\WINDOWS\System32\svchost.exe[1672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03200F7F
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 03200F90
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03200FC6
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03200FAB
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03200FE3
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 031E000A
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 031E0FEF
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 031E0FDE
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 031E002F
.text C:\WINDOWS\System32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031F0FEF
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A5007F
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F8A
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50062
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FA5
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FD1
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500BC
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500AB
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500F2
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F59
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F3E
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A50FB6
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50090
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500D7
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AA002C
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AA001B
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CA, 88]
.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AA0FC0
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A90053
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A90FBE
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A90027
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90038
.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A70FC3
.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00A70FB2
.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F88
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6007D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C6006C
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6005B
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600AB
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C6009A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600E1
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F48
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600FC
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60040
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F6D
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600C6

[tbinder]

.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 88]
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0F9C
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\svchost.exe[1972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F92
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0FA3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0087
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA006C
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F5F
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA0F70
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA0F30
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA00D3
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA00EE
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA0F81
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0047
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA00C2
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F9B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90062
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90FC0
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80033
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FB2
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80FC3
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80018
.text C:\WINDOWS\system32\svchost.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1988] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E60FA5
.text C:\WINDOWS\system32\svchost.exe[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 010B0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010A0082
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010A005D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010A0040
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010A002F
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010A0014
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010A0F55
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010A0F66
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A0F33
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A00C2
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010A00DD
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010A0F8D
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0FCA
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010A0093
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010A0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\dllhost.exe[3492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010A0F44
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\dllhost.exe[3492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0018
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01090022
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0109004E
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01090011
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01090FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01090F91
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01090033
.text C:\WINDOWS\system32\dllhost.exe[3492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01090FAC
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\dllhost.exe[3492] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\dllhost.exe[3492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A543292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A543292

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

[JonTom]

Hello tbinder

Please let me know if I haven't included what you need or if I have pasted/attached incorrectly.

You did everything perfectly

I told him no more helping

While it is always tempting to run scans and extra tools, please try to refrain from doing so as it can make spotting problems and log interpretation much more difficult.

Please do the following:

1. Please disable Spybot Teatimer
   
   
   
   • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
   • On the left hand side, click "Tools", then click on the "Resident" icon in the list.
   • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active" box.
   • Click the "System Startup" icon in the List.
   • Uncheck the "TeaTimer" box and "OK" any prompts.
   • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
   • Exit Spybot S&D when done.
   
   
   
2. Combofix
   
   
   
   • Download ComboFix from one of the following locations:
     
     Link 1
     Link 2
   
   
   
   
   • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
   
   
   
   • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
   • Double click on ComboFix.exe & follow the prompts.
   
   
   
   • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   
   
   
   
   
   • Click on Yes, to continue scanning for malware.
   • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
   • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
   • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

[tbinder]

When I go to system startup I do not see anything called tea timer to uncheck? There are three columns of information, key, value and command line - I don't see tea timer in any of these areas? I also started getting error messages today that Mcafee couldn't update software with a suggestion to check my internet connection - connection is fine? Now what??

[JonTom]

Hello tbinder

Now what??

Please make sure that the "Resident TeaTimer" box is Unchecked and everything should be fine. Once it is Unchecked go ahead and run ComboFix

[tbinder]

To disable Mcafee do I just turn the firewall off or is there something else that also needs done. Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner? Do I do anything with those or anything else?

[JonTom]

Hello tbinder

Do I need to disable anything else like the malwarebytes antimalware or spybot S&D, ccleaner?

You do not need to disable MalwareBytes or ccleaner, and provided you disable Spybot's Teatimer all should be well.

To disable Mcafee do I just turn the firewall off or is there something else that also needs done.

You need to disable the Firewall and the AntiVirus (if you have additional applications you can disable them also).

There is information provided in the ComboFix instructions to help you disable your security applications, and you can also refer to your User manual for additonal information.

As a general guide please try the following:


Double-click the McAfee icon in your taskbar (bottom right hand corner of the screen) to open MCAfee SecurityCenter

Click Advanced Menu (bottom)

Click Configure (left)

Click Computer & Files (top left)

In the right-hand space you can disable VirusScan and select for how long (as we do not know how long ComboFix will take to complete its scan you may have to leave McAfee permanently disabled and the re-enable it after the scan has completed)..

You should also be able to disable your Firewall and additional McAfee features from this page.

Once McAfee is disabled run ComboFix and post the log created.