Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Virtumonde Infection

  1. #1
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default Virtumonde Infection

    Hi,

    Last night, I noticed my browser was acting strange when all of the links on every page were going to the same couple of websites (which just showed ads). I ran Spybot S&D and Malwarebytes and they both identified Virtumonde and claim they deleted it. The problem went away after this.

    But, I have noticed, that I am currently unable to do a system restore and I cannot enter safe mode (I get a BSOD when I try to do so). I don't know if these are related to this virus or not, but I suspect that they are.

    Any help would be appreciated in trying to figure out if this thing has indeed been beat.

    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:35:47 PM, on 9/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\AstSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1080620
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1080620
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [symPCCheckup] "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /task /reboot
    O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
    O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: OneNote Table Of Contents.onetoc2
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6796.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 12053 bytes

  2. #2
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Hello and welcome to Safer Networking.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

    I will be back as soon as possible with your first instructions!
    Malware Removal University Master
    Member of ASAP & UNITE

  3. #3
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    Thanks for the reply km2357, I appreciate you taking the time to do this.

    Looking forward to making sure that everything is gone.

  4. #4
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1: Remove Hijackthis Entries

    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):


      O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.




    Step # 2 Download and run DDS

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.



    Step # 3: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click No.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log
    Malware Removal University Master
    Member of ASAP & UNITE

  5. #5
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    Step 1:

    This entry appears to be gone. It was not shown when I re-ran Hijackthis

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    Step 2:

    DDS


    DDS (Ver_09-07-30.01) - NTFSx86
    Run by Bradley at 14:20:55.21 on Tue 09/15/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2551 [GMT -4:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\AstSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Bradley\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
    StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\documents and settings\bradley\start menu\programs\startup\OneNote Table Of Contents.onetoc2
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: turbotax.com
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\bradley\applic~1\mozilla\firefox\profiles\wa2vaw0y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ============= SERVICES / DRIVERS ===============

    R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-6-19 128000]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-13 28544]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-19 214024]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-6-26 353672]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-19 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-19 144704]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-27 24652]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-19 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-19 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-19 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-19 40552]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-19 34248]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]

    =============== Created Last 30 ================

    2009-09-15 08:56 229,888 a------- c:\windows\PEV.exe
    2009-09-15 08:56 161,792 a------- c:\windows\SWREG.exe
    2009-09-15 08:56 98,816 a------- c:\windows\sed.exe
    2009-09-15 08:56 <DIR> --d----- C:\ComboFix
    2009-09-15 08:54 <DIR> --d----- c:\program files\common files\Symantec Shared
    2009-09-14 16:28 <DIR> --d----- C:\VundoFix Backups
    2009-09-14 14:58 <DIR> --d----- C:\$AVG8.VAULT$
    2009-09-14 14:50 <DIR> --d----- c:\program files\AVG
    2009-09-14 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
    2009-09-14 14:44 <DIR> --d----- c:\docume~1\bradley\applic~1\AVG8
    2009-09-13 19:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys
    2009-09-13 19:13 <DIR> --d----- c:\program files\Panda Security
    2009-09-13 18:00 <DIR> a-dshr-- C:\cmdcons
    2009-09-13 18:00 <DIR> --d----- c:\windows\setup.pss
    2009-09-13 18:00 <DIR> --d----- c:\windows\setupupd
    2009-09-13 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-09-13 16:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
    2009-09-13 16:40 <DIR> --d----- c:\docume~1\bradley\applic~1\SUPERAntiSpyware.com
    2009-09-13 16:22 31,744 a------- c:\windows\system32\dllcache\wceusbsh.sys
    2009-09-13 16:21 50,688 a------- c:\windows\system32\dllcache\umaxscan.dll
    2009-09-13 16:20 36,640 a------- c:\windows\system32\dllcache\t2r4mini.sys
    2009-09-13 16:19 35,913 a------- c:\windows\system32\dllcache\smcirda.sys
    2009-09-13 16:18 17,280 a------- c:\windows\system32\dllcache\scr111.sys
    2009-09-13 16:17 899,146 a------- c:\windows\system32\dllcache\r2mdkxga.sys
    2009-09-13 16:16 25,216 a------- c:\windows\system32\dllcache\ovsound2.sys
    2009-09-13 16:15 59,104 a------- c:\windows\system32\dllcache\n9i128v2.dll
    2009-09-13 16:14 65,536 a------- c:\windows\system32\dllcache\EXCH_mailmsg.dll
    2009-09-13 16:13 13,056 a------- c:\windows\system32\dllcache\inport.sys
    2009-09-13 16:12 13,312 a------- c:\windows\system32\dllcache\hpsjmcro.dll
    2009-09-13 16:11 45,568 a------- c:\windows\system32\dllcache\esunib.dll
    2009-09-13 16:10 229,462 a------- c:\windows\system32\dllcache\digifwrk.dll
    2009-09-13 16:09 187,938 a------- c:\windows\system32\dllcache\c_20005.nls
    2009-09-13 16:08 169,984 a------- c:\windows\system32\dllcache\iisui.dll
    2009-09-13 16:08 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
    2009-09-13 16:08 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
    2009-09-13 16:08 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
    2009-09-13 16:08 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
    2009-09-13 16:08 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
    2009-09-13 16:08 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
    2009-09-13 14:23 <DIR> --d----- c:\program files\Trend Micro
    2009-09-13 09:14 161 a------- c:\windows\wininit.ini
    2009-09-13 09:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-09-13 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-09-13 02:11 <DIR> --d----- c:\documents and settings\bradley\.housecall6.6
    2009-09-13 01:51 <DIR> --d----- c:\docume~1\bradley\applic~1\Malwarebytes
    2009-09-13 01:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-13 01:51 19,160 a------- c:\windows\system32\drivers\mbam.sys
    2009-09-13 01:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-09-13 01:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-09-13 00:58 <DIR> --d----- c:\windows\pss

    ==================== Find3M ====================

    2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-05 05:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
    2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
    2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-17 15:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
    2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
    2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
    2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
    2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
    2009-07-10 09:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
    2009-07-10 08:45 103,509 a------- c:\windows\hpoins04.dat
    2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
    2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
    2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
    2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
    2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
    2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
    2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
    2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
    2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
    2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
    2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
    2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-06-22 02:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
    2009-06-21 17:44 153,088 a------- c:\windows\system32\dllcache\triedit.dll
    2008-08-28 03:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

    ============= FINISH: 14:21:13.95 ===============


    Attach


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/26/2008 1:40:30 PM
    System Uptime: 9/15/2009 12:43:55 PM (2 hours ago)

    Motherboard: Dell Inc | | 0PP150
    Processor: Intel Pentium III Xeon processor | Socket 775 | 3166/1333mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 462 GiB total, 430.914 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 9/15/2009 1:11:49 PM - System Checkpoint

    ==== Installed Programs ======================


    2007 Microsoft Office Suite Service Pack 1 (SP1)
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9.1.3
    Adobe Shockwave Player 11.5
    Advanced Find and Replace v4.2
    AIM 6
    AiO_Scan
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Mobile Device Support
    Apple Software Update
    BCL easyPDF Printer Driver 5.1
    Bonjour
    Browser Address Error Redirector
    Call of Duty
    Call of Duty - United Offensive
    CCleaner (remove only)
    Copy
    CreativeProjects
    Critical Update for Windows Media Player 11 (KB959772)
    CuteFTP 5.0 XP
    Dell DataSafe Online
    Dell System Restore
    Director
    DocProc
    Documentation & Support Launcher
    eFax Messenger
    Games, Music, & Photos Launcher
    Google Desktop
    Google Talk (remove only)
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    HP Software Update
    HP Unload DLL Patch
    hpmdtab
    HPSystemDiagnostics
    InstantShare
    Internet Service Offers Launcher
    iTunes
    Java(TM) 6 Update 5
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Memories Disc Creator 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft FrontPage 2002
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MobileMe Control Panel
    Mozilla Firefox (3.0.13)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6.0 Parser (KB933579)
    Musicmatch for Windows Media Player
    NVIDIA Drivers
    NVIDIA Performance
    NVIDIA System Monitor
    oggcodecs 0.71.0946
    overland
    Paint Shop Pro 6.0 (CD-ROM)
    Panda ActiveScan 2.0
    PhotoGallery
    PowerDVD
    QFolder
    QuickProjects
    QuickTime
    Realtek High Definition Audio Driver
    Risk®
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Scan
    SearchAssist
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office OneNote 2007 (KB950130)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    SkinsHP1
    SkinsHP2
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    TrayApp
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wmiiper
    TurboTax 2008 wnciper
    TurboTax 2008 wrapper
    TurboTax Deluxe 2007
    Unity Web Player
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973815)
    VC 9.0 Runtime
    Viewpoint Media Player
    WebEx
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WinZip 12.1
    ZoneAlarm

    ==== Event Viewer Messages From Past Week ========

    9/15/2009 9:04:29 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
    9/15/2009 8:59:23 AM, error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
    9/15/2009 8:57:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
    9/14/2009 12:13:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    9/14/2009 12:07:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    9/14/2009 12:05:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    9/14/2009 12:04:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/14/2009 12:04:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    9/14/2009 12:04:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/13/2009 4:23:53 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
    9/13/2009 4:08:45 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    9/13/2009 11:44:08 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001EC93798BB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

    Step 3:

    I will run GMER now.

    ==== End Of File ===========================

  6. #6
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    By the way, I previously mentioned that I was unable to boot up in SAFE mode. I am now able to do this.

    GMER is running and I will post the log when it has completed.

  7. #7
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Ok, post the GMER Log when its ready.


    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B


    Having two firewalls running at the same time can cause conflicts and possible crashes. Please remove/disable one of them.


    Looking over your DDS Log, I see you recently downloaded/ran ComboFix. ComboFix should not be run unless specifically instructed to do so by a trained malware remover. If you did run ComboFix before I started helping, please post the ComboFix Log. You can find it at C:\ComboFix.txt
    Malware Removal University Master
    Member of ASAP & UNITE

  8. #8
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    Do you have any thoughts on whether McAfee or ZoneAlarm would be a better firewall? Let me know and I will disable one of them.

    I did run ComboFix earlier today and will post that log as well once GMER is done running. I'm all yours now, however, and promise not to run anything else without your instruction.

  9. #9
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    ComboFix 09-09-14.02 - Bradley 09/15/2009 8:57.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2753 [GMT -4:00]
    Running from: c:\documents and settings\Bradley\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\0.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\1.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\2.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\3.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\4.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\5.mdd
    c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\6.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\0.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\1.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\2.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\3.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\4.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\5.mdd
    c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\6.mdd
    c:\windows\Downloaded Program Files\bdcore.dll
    c:\windows\Downloaded Program Files\libfn.dll
    c:\windows\Installer\28200b1.msi

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
    .

    2009-09-15 12:54 . 2009-09-15 12:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2009-09-15 12:54 . 2009-09-15 12:54 -------- d-----w- c:\program files\Norton PC Checkup
    2009-09-14 20:28 . 2009-09-14 20:28 -------- d-----w- C:\VundoFix Backups
    2009-09-14 18:58 . 2009-09-14 18:58 -------- d-----w- C:\$AVG8.VAULT$
    2009-09-14 18:50 . 2009-09-14 18:50 -------- d-----w- c:\program files\AVG
    2009-09-14 18:50 . 2009-09-14 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-09-14 18:44 . 2009-09-14 18:44 -------- d-----w- c:\documents and settings\Bradley\Application Data\AVG8
    2009-09-14 17:19 . 2009-09-14 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-09-14 17:18 . 2009-09-14 17:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2009-09-14 17:18 . 2009-09-14 17:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-14 16:20 . 2009-09-14 16:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-09-14 15:19 . 2009-09-14 15:38 -------- d-----w- c:\windows\BDOSCAN8
    2009-09-13 23:13 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-09-13 23:13 . 2009-09-13 23:13 -------- d-----w- c:\program files\Panda Security
    2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\documents and settings\Bradley\Application Data\SUPERAntiSpyware.com
    2009-09-13 20:22 . 2008-04-13 18:45 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
    2009-09-13 20:21 . 2001-08-18 02:36 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll
    2009-09-13 20:20 . 2001-08-17 16:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
    2009-09-13 20:19 . 2001-08-17 16:10 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
    2009-09-13 20:18 . 2001-08-17 17:51 17280 ----a-w- c:\windows\system32\dllcache\scr111.sys
    2009-09-13 20:17 . 2001-08-17 17:28 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
    2009-09-13 20:16 . 2001-08-17 18:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
    2009-09-13 20:15 . 2001-08-18 02:36 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll
    2009-09-13 20:14 . 2001-08-18 02:36 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
    2009-09-13 20:13 . 2004-08-04 10:00 8704 ----a-w- c:\windows\system32\dllcache\infoctrs.dll
    2009-09-13 20:12 . 2001-08-18 02:36 13312 ----a-w- c:\windows\system32\dllcache\hpsjmcro.dll
    2009-09-13 20:11 . 2001-08-18 02:36 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
    2009-09-13 20:10 . 2001-08-18 02:36 229462 ----a-w- c:\windows\system32\dllcache\digifwrk.dll
    2009-09-13 20:09 . 2001-08-17 17:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2009-09-13 20:08 . 2004-08-04 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
    2009-09-13 20:08 . 2004-08-04 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
    2009-09-13 20:08 . 2004-08-04 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
    2009-09-13 20:08 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
    2009-09-13 20:08 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
    2009-09-13 20:08 . 2004-08-04 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
    2009-09-13 20:02 . 2009-09-13 20:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-13 18:23 . 2009-09-13 18:23 -------- d-----w- c:\program files\Trend Micro
    2009-09-13 13:02 . 2009-09-13 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-13 13:02 . 2009-09-13 13:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-09-13 06:32 . 2009-09-13 06:34 -------- d-----w- c:\program files\Windows Live Safety Center
    2009-09-13 06:11 . 2009-09-13 23:07 -------- d-----w- c:\documents and settings\Bradley\.housecall6.6
    2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\documents and settings\Bradley\Application Data\Malwarebytes
    2009-09-13 05:51 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-13 05:51 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-13 20:39 . 2008-06-26 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-12 16:25 . 2008-06-27 02:39 -------- d-----w- c:\program files\Paint Shop Pro 6
    2009-09-10 13:55 . 2009-08-09 01:33 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-09-03 11:14 . 2008-06-19 23:39 -------- d-----w- c:\program files\McAfee
    2009-08-09 17:01 . 2008-06-19 23:46 30872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-09 04:48 . 2009-08-09 04:48 -------- d-----w- c:\program files\MSBuild
    2009-08-09 04:48 . 2009-08-09 04:48 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-30 03:53 . 2009-04-08 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-07-21 15:15 . 2008-06-19 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-16 16:32 . 2008-06-19 23:39 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-07-14 03:43 . 2004-08-11 22:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-10 12:45 . 2009-07-10 12:34 103509 ----a-w- c:\windows\hpoins04.dat
    2009-07-08 17:44 . 2008-06-19 23:39 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-07-08 17:44 . 2008-06-19 23:39 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-07-08 17:44 . 2008-06-19 23:39 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-07-08 17:44 . 2008-06-19 23:39 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-07-08 17:43 . 2008-06-19 23:39 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-07-03 17:09 . 2004-08-11 22:00 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-04-02 17:52 . 2009-04-02 17:52 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-04-02 17:52 . 2009-04-02 17:52 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
    "eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-19 29744]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-01-15 16855552]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

    c:\documents and settings\Jen\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

    c:\documents and settings\Bradley\Start Menu\Programs\Startup\
    eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
    OneNote Table Of Contents.onetoc2 [2009-6-22 3656]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/13/2009 7:13 PM 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/27/2008 1:40 AM 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-19 01:26]

    2009-08-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-19 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: turbotax.com
    FF - ProfilePath - c:\documents and settings\Bradley\Application Data\Mozilla\Firefox\Profiles\wa2vaw0y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-DXDllRegExe - dxdllreg.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-15 09:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(744)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1372)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ZoneLabs\vsmon.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\AstSrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\program files\McAfee\MPF\MpfSrv.exe
    c:\program files\McAfee\MSK\msksrver.exe
    c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-15 9:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-15 13:06

    Pre-Run: 462,665,732,096 bytes free
    Post-Run: 462,646,091,776 bytes free

    256 --- E O F --- 2009-09-10 04:42

  10. #10
    Junior Member
    Join Date
    Sep 2009
    Posts
    13

    Default

    GMER 1.0.15.15087 - http://www.gmer.net
    Rootkit scan 2009-09-15 17:29:20
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Bradley\LOCALS~1\Temp\pxtdqpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAB215FC0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAB212C80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAB22D170]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAB216580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAB22A900]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAB22AB10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAB22EB10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAB216670]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAB213210]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAB22D9F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAB22D7A0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAB22A280]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAB22DF10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAB22DF90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAB213070]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAB22C180]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAB22BF40]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAB22E6F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAB22E150]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAB215BE0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAB22E540]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAB216190]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAB213440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAB22D4E0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAB22B200]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAB22B080]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAB0F8625]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAB0F860F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAB0F8528]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAB0F8651]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAB0F856B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAB0F84FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAB0F868D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAB0F85F9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAB0F85E3]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAB0F84D4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAB0F84C0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAB0F863B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAB0F853E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAB0F8512]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [80, 65, 21, AB, 00, A9, 22, ...]
    .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AB0F8516 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AB0F852C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AB0F8542 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AB0F8500 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AB0F84C4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AB0F84D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP AB0F85E7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP AB0F863F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP AB0F85FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP AB0F8629 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP AB0F8613 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP AB0F856F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP AB0F8691 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP AB0F8655 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F79
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9006E
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90047
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90036
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FAF
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F41
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F68
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F15
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900AE
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900BF
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F94
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E9001B
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90093
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FCA
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FDB
    .text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F26
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80036
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8008E
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E8001B
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FE5
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80073
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80062
    .text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80047
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70FA3
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FBE
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E7001D
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7002E
    .text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E7000C
    .text C:\WINDOWS\system32\svchost.exe[136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60000
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00B6
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE009B
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0080
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FC3
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0054
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00FF
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00E4
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F7A
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F8B
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F69
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE006F
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00C7
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0039
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
    .text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F9C
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930F9E
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093002F
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FAF
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F68
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F8D
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FA6
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920031
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC8
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB7
    .text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
    .text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0090000A
    .text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00900FE5
    .text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00900FD4
    .text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00900025
    .text C:\WINDOWS\system32\svchost.exe[444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007006C
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070051
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F9E
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F35
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F50
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700C4
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B3
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700DF
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FAF
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007007D
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070025
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
    .text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700A2
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FA8
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F61
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F7C
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006001E
    .text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F97
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050027
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9C
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC1
    .text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
    .text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F8D
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80082
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F8005B
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F8004A
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80F9E
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800B8
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F800A7
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800E4
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800C9
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800F5
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80025
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F7C
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80014
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
    .text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F55
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F91
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FE5
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70058
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FC0
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
    .text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70047
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60F99
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F6002E
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F6000C
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FE3
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F6001D
    .text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FD2
    .text C:\WINDOWS\system32\lsass.exe[800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0FEF
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F37
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD002C
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0F5E
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD001B
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD000A
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD006E
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0053
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD0EFA
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD0F0B
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD00AE
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0F83
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD0FD4
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F1C
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD0F9E
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0FB9
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0089
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0FB9
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F5E
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0FCA
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0F79
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AC001B
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0F94
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0061
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0050
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB002E
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB003F
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB001D
    .text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8009D
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C8008C
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80FA8
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80FB9
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80051
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800CE
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F7C
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F5A
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F6B
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C80F49
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80FD4
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80014
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F97
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80040
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
    .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C800DF
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70040
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F97
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7002F
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70014
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70FB2
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FC3
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
    .text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70FDE
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60055
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FCA
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FEF
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6003A
    .text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6001D
    .text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 038D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 038D0062
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 038D0F77
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 038D0F88
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 038D0051
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 038D002C
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 038D008E
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 038D0F46
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 038D00A9
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 038D0F06
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038D0EF5
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 038D0FAF
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 038D0000
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038D007D
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 038D001B
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 038D0FCA
    .text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038D0F2B
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 038C000A
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 038C0F57
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 038C0FB9
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 038C0FD4
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 038C0F72
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 038C0FE5
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 038C0F83
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AC, 8B]
    .text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 038C0FA8
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 038B0FC3
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 038B0058
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 038B0033
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 038B000C
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 038B0FDE
    .text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 038B0FEF
    .text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 038A0000
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 03890000
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03890FEF
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 0389002F
    .text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03890040
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800073
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800058
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F8A
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F9B
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800047
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000BC
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0080009F
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800F34
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000CD
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000E8
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800FC0
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800011
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800084
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FDB
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0080002C
    .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F59
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0036
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F8A
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F001B
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F000A
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0051
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FEF
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007F0FAF
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 88]
    .text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FCA
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0049
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0038
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E001D
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FBE
    .text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FE3
    .text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD009A
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0FAF
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD007D
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FC0
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0047
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00C6
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00B5
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00EB
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F52
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F37
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0058
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F8A
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD002C
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
    .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F63
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002F
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC005B
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0014
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FDE
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F9E
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0040
    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FC3
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F7A
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0F8B
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC1
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FA6
    .text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FD2
    .text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA000A
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F8D
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FA8
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0080
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A006F
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0054
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F6B
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00A7
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D8
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3F
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E9
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FCD
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F7C
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002F
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0014
    .text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F5A
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FB9
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029005B
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F9E
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290036
    .text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290025
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0036
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FAB
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FBC
    .text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
    .text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C0FEF
    .text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C0FDE
    .text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C0FCD
    .text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0FB2
    .text C:\WINDOWS\Explorer.EXE[2352] WS2_32.dll!socket 71AB4211

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •