Probable self inflicted injury/searchinvented.com
-
Probable self inflicted injury/searchinvented.com
Hi, my name is rob, American, living in the Philippines with Filipino wife and our 3 girls.
The first thing, when i registered, it asked my OS. My disk says windows vista starter, but i clicked basic as there was no 'starter' listed. I'm pretty sure i have brought this problem upon myself.
Sorry for this brief medical stuff, but you might need it to understand the rest of my problem.
I am Bi-Polar2/non-psychotic, and have D.I.D. or dissociative identity disorder. You guys are web gurus, so I'm sure you can figure the meanings if you like. One of my most attractive features is the inability of deception in conversation, even in print. Sounds like a laudable quality, but makes friendships kinda difficult at times
Anyway, they are the reasons i am going to do something that probably doesn't happen to often when someone comes looking for help; not to pretend like i don't know how it happened. Though I'm sure many do not.
I read all the instructions in your rules guide before joining, and i don't think this is impermissible.
I downloaded a program that i knew was copyrighted with the intent of using it for free.
There was a part of the program called a crack.rar file that gave me a serial number to put in the box when the software asked for it. It was called a keygen file, i believe.
The problem I am having is that my computer is not taking all of my commands anymore, it would not allow me to do a system restore to try and get rid of the problem(if that is possible?) by allowing me to only go back to the day before the installation of the program.
Usually, i think it gave me an option to go back further then 5 days, but not anymore, I tried to uninstall the program, and it goes through a long process before a window tells you that there were some problems during the uninstall, which are list below. but, there is nothing listed, just blank space. i went back and tried to redo the uninstall, and it just comes up like it is going to run, then does nothing.
I remember getting some strange requests from the computer at first, then a couple days ago i published a site I had been working on, and as soon as i went to view it, it said there was a problems to contact my server, and down the bottom of my computer said ztomy.com. But since then, it usually comes up searchinvent.com. You can see it down the bottom of the screen, it says 'transferring data'
I found you guys by typing the words searchinvent.com in google, and read the thread from a lady who sounded as though she was having some, actually a couple of the same problems as me. I used the advise that she received, but when I tried to finalize the process, the file i was trying to change actually forbid me from making changes, so i hit restart anyway, and the computer said, if you restart you might lose any unsaved data.
I hope this is a good starting point and i hope that that i have not violated any policy by posting the truth of how i think i got infected.
Thank you Sincerely, rob
Sorry the lady who had a problem that was similar to mine, here is the link to that page: http://www.d-a-l.com/help/spyware-ad...l-pages-3.html
Last edited by diverdorr68; 04-02-2010 at 07:45 PM.
Reason: forgot to put in other info
-
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
RESTART COMPUTER
STEP 4. Download HijackThis:
HijackThis - Trend Micro USA
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Hello Broni,
While following the instructions for step one, the scanning process hung at D:\$RECYCLE.BIN\Adb...\_560_ab8e354fee938288546b90 472ae93d5c, with the 'next' box highlighted. I waited 40 minutes, then hit the 'next' button. A window came up that said, 'scanning is not complete, do you wish to continue without completing the scan'. When I clicked 'yes', nothing happened. When I retried and clicked 'no', nothing happened.
The next option was to 'cancel'. I waited 20 more minutes to see if the computer was going to move, then clicked 'cancel'. A window appeared that said 'scanning is not complete, are you sure you wish to abort the scan'. I clicked yes, the window disappeared, and nothing happened. I had to use the task manager to cancel the program.
Next, i emptied the recycle bin, acquired new updates and re-ran the scan. This time, scan hung on C:\windows\_default.pif, I moused over the item and it showed it was 707 bytes. I clicked it, an empty DOS window came up. Then, a second box came up that said,
'16 bit DOS Subsystem
C:\Windows\_default.pif
Invalid program file name, please check your pif file. Choose 'close' to terminate the application.
I closed and canceled the scan. i waited 1 hour before terminating the scan. again, had to use the task manager.
Then acquired new updates, and attempted new scan, but it did not complete due to a electrical blackout.
Next morning, power is back, got new updates, re-ran scan. Exact same results, hung overnight on C:\windows\_default.pif
Up until the point when the program hung each time, it show no threats
I checked for log info on each try, but none was to be found.
Gave up and moved on to step two.
I followed all your instructions and downloaded, updated and ran the scan.
This one completed
No threats detected
Log Follows:
Malwarebytes' Anti-Malware 1.44
Database version: 3697
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
2/7/2010 3:14:09 AM
mbam-log-2010-02-07 (03-14-09).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 261060
Time elapsed: 1 hour(s), 35 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I am now moving on to step number three.
Thank you for your kind assistance, rob
-
Ok 
-
ok, here is the step 3) gmer.log file:
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-07 06:01:35
Windows 6.0.6002 Service Pack 2
Running: hoi8wrn7.exe; Driver: C:\Users\ROBERT~1\AppData\Local\Temp\uxkcafoc.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8CCC779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8CCC7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8CCC774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8CCC77DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8CCC781F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8CCC7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8CCC7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8CCC77B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8CCC7847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8CCC7833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8CCC778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8CCC7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8CCC780B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8CCC77F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8CCC77C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8CCC7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 82275982 5 Bytes JMP 8CCC77CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 824095B5 3 Bytes JMP 8CCC7823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey + 4 824095B9 1 Byte [0A]
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82413B82 5 Bytes JMP 8CCC7766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8243AD5D 5 Bytes JMP 8CCC780F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8245A446 7 Bytes JMP 8CCC77E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8245A709 5 Bytes JMP 8CCC77F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8245E474 5 Bytes JMP 8CCC777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82463E7D 7 Bytes JMP 8CCC77B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8246609A 5 Bytes JMP 8CCC7728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8246AB48 5 Bytes JMP 8CCC7714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8248BD59 5 Bytes JMP 8CCC77A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8249C7B2 5 Bytes JMP 8CCC7837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8249D9B6 5 Bytes JMP 8CCC784B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 824DB74B 5 Bytes JMP 8CCC773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 824DB796 7 Bytes JMP 8CCC7750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 824DC253 5 Bytes JMP 8CCC778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00740090
.text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00740F54
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 007400D0
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 007400B5
.text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 0074006E
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 0074001B
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00740036
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00740F65
.text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00740047
.text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00740FAF
.text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00740F8A
.text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00740FC0
.text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 0074007F
.text C:\Windows\system32\services.exe[616] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 007400E1
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00740000
.text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00740FEF
.text C:\Windows\system32\services.exe[616] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00740F39
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00720F8D
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 0072001E
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00720FEF
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00720039
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00720F7C
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00720FCD
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00720FDE
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00720FB2
.text C:\Windows\system32\services.exe[616] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00750058
.text C:\Windows\system32\services.exe[616] msvcrt.dll!system 7748804B 5 Bytes JMP 0075003D
.text C:\Windows\system32\services.exe[616] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00750011
.text C:\Windows\system32\services.exe[616] msvcrt.dll!_open 7748D106 5 Bytes JMP 00750000
.text C:\Windows\system32\services.exe[616] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 0075002C
.text C:\Windows\system32\services.exe[616] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00750FE3
.text C:\Windows\system32\services.exe[616] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00730000
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00230F30
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00230F41
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00230F15
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 002300B6
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00230F77
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00230011
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00230FC0
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00230F52
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00230051
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00230F9E
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00230040
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00230FAF
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00230062
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 002300C7
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00230000
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00230FEF
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 0023009B
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00210F8D
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00210025
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00210FEF
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00210F9E
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00210F72
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 0021000A
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00210FD4
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00210FB9
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00240FAF
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!system 7748804B 5 Bytes JMP 00240FC0
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00240FEF
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_open 7748D106 5 Bytes JMP 00240000
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 0024003A
.text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00240029
.text C:\Windows\system32\lsass.exe[700] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 002700BC
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 002700AB
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 002700F2
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00270F5B
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00270F9B
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00270FE5
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00270FCA
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00270F76
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00270073
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 0027003D
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00270062
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 0027002C
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00270090
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 0027010D
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0027001B
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 0027000A
.text C:\Windows\system32\svchost.exe[852] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 002700D7
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00280FAB
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!system 7748804B 5 Bytes JMP 00280FBC
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00280FCD
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_open 7748D106 5 Bytes JMP 00280000
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00280022
.text C:\Windows\system32\svchost.exe[852] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00280011
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00240F94
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00240FA5
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00240FE5
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 0024002C
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00240F83
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00240011
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00240000
.text C:\Windows\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00240FB6
.text C:\Windows\system32\svchost.exe[852] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00260FEF
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00900F39
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00900F4A
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00900F1E
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 009000B5
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 0090006E
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 0090001B
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 0090002C
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00900F6F
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00900F94
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00900FAF
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00900051
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00900FC0
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 0090007F
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00900F0D
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0090000A
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 009000A4
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00910047
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!system 7748804B 5 Bytes JMP 00910FBC
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 0091002C
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_open 7748D106 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00910FCD
.text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00910011
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 008A0F7C
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 008A0F8D
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 008A001E
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 008A0039
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 008A0FB9
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 008A0FD4
.text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 008A0FA8
.text C:\Windows\system32\svchost.exe[912] WS2_32.dll!socket 76D836D1 5 Bytes JMP 008F000A
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 01330087
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 01330F4B
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 013300BD
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 013300A2
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 01330076
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 01330FDE
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 0133002F
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 01330F66
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 01330065
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 01330040
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 01330FA8
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 01330FC3
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 01330F77
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 013300CE
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0133000A
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 01330FEF
.text C:\Windows\System32\svchost.exe[948] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 01330F1C
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 01340F9C
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!system 7748804B 5 Bytes JMP 01340FB7
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 01340027
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!_open 7748D106 5 Bytes JMP 01340FEF
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 01340FD2
.text C:\Windows\System32\svchost.exe[948] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 0134000C
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00A50F5E
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00A50F8A
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00A50000
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00A50F79
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00A50F4D
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00A50FC0
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00A50FE5
.text C:\Windows\System32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00A50FAF
.text C:\Windows\System32\svchost.exe[948] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00A70FE5
.text C:\Windows\System32\svchost.exe[948] wininet.dll!InternetOpenA 75EDD690 5 Bytes JMP 00A60000
.text C:\Windows\System32\svchost.exe[948] wininet.dll!InternetOpenW 75EDDB09 5 Bytes JMP 00A60FDB
.text C:\Windows\System32\svchost.exe[948] wininet.dll!InternetOpenUrlA 75EDF3A4 5 Bytes JMP 00A60FCA
.text C:\Windows\System32\svchost.exe[948] wininet.dll!InternetOpenUrlW 75F26DDF 5 Bytes JMP 00A60025
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00AB0F7A
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00AB00B6
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00AB0F5F
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00AB00F6
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00AB0087
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00AB001B
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00AB0FCA
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00AB0F8B
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00AB0076
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00AB0040
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00AB005B
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00AB0FB9
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00AB0F9C
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00AB0111
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00AB0FE5
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00AB0000
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00AB00DB
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00F00053
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!system 7748804B 5 Bytes JMP 00F00FC8
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00F00FE3
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_open 7748D106 5 Bytes JMP 00F0000C
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00F00038
.text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00F0001D
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 0064004A
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00640FA8
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00640FE5
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 0064002F
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00640F83
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00640FB9
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00640FD4
.text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 0064000A
.text C:\Windows\System32\svchost.exe[1020] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00670000
.text C:\Windows\System32\svchost.exe[1020] WININET.dll!InternetOpenA 75EDD690 5 Bytes JMP 00660FEF
.text C:\Windows\System32\svchost.exe[1020] WININET.dll!InternetOpenW 75EDDB09 5 Bytes JMP 00660FDE
.text C:\Windows\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 75EDF3A4 5 Bytes JMP 0066000A
.text C:\Windows\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 75F26DDF 5 Bytes JMP 0066002F
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1032] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1032] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00950078
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00950F32
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00950F06
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00950F17
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00950067
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00950FD4
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00950FB9
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00950F57
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 0095004C
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00950F8D
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00950025
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00950F9E
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00950F68
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 009500B8
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00950FE5
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00950000
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00950093
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00960055
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!system 7748804B 5 Bytes JMP 00960FD4
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00960033
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!_open 7748D106 5 Bytes JMP 0096000C
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00960044
.text C:\Windows\System32\svchost.exe[1116] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00960FEF
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00920F8D
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00920FB9
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00920000
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00920FA8
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00920F7C
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 0092001B
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00920FE5
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00920FCA
.text C:\Windows\System32\svchost.exe[1116] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00940FEF
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 01310087
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 01310076
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 01310EFA
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 01310F15
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 01310F66
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 01310FD4
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 01310025
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 01310065
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 01310040
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 01310FA8
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 01310F83
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 01310FB9
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 01310F55
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 013100AC
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 01310FE5
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 01310000
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 01310F26
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 01320058
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!system 7748804B 5 Bytes JMP 01320047
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 01320FCD
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_open 7748D106 5 Bytes JMP 01320FEF
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 0132002C
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 01320FDE
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 012A0F97
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 012A0039
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 012A000A
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 012A0FB2
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 012A0054
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 012A0FD4
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 012A0FEF
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 012A0FC3
.text C:\Windows\system32\svchost.exe[1156] WS2_32.dll!socket 76D836D1 5 Bytes JMP 0130000A
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenA 75EDD690 5 Bytes JMP 012B0FEF
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenW 75EDDB09 5 Bytes JMP 012B0FDE
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlA 75EDF3A4 5 Bytes JMP 012B0FCD
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlW 75F26DDF 5 Bytes JMP 012B001E
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00160082
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00160F3C
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 001600AE
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00160093
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00160F72
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00160FD4
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00160FC3
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00160071
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00160F83
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00160040
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00160F94
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 0016002F
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00160F61
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00160F06
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00160FEF
.text C:\Windows\system32\svchost.exe[1248] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00160F21
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77487F2F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00170033
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!system 7748804B 5 Bytes JMP 00170022
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00170FC3
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_open 7748D106 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00170FB2
.text C:\Windows\system32\svchost.exe[1248] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00170FDE
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00140F7C
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00140FB2
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00140000
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00140F97
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00140F6B
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00140FD4
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00140FE5
.text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00140FC3
.text C:\Windows\system32\svchost.exe[1248] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00150FE5
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 009D0F49
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 009D0085
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 009D00C5
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 009D0F38
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 009D0F75
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 009D0FCD
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 009D0FB2
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 009D0074
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 009D004F
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 009D0032
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 009D0F86
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 009D0FA1
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 009D0F64
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 009D00E0
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 009D0FDE
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 009D00AA
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00A20058
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!system 7748804B 5 Bytes JMP 00A2003D
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00A20FDE
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_open 7748D106 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00A20FCD
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00A2000C
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 007B004A
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 007B0FB2
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 007B0FEF
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 007B0039
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 007B0F8D
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 007B0FD4
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 007B000A
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 007B0FC3
.text C:\Windows\system32\svchost.exe[1300] WS2_32.dll!socket 76D836D1 5 Bytes JMP 009C0FEF
.text C:\Windows\system32\svchost.exe[1300] WinInet.dll!InternetOpenA 75EDD690 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[1300] WinInet.dll!InternetOpenW 75EDDB09 5 Bytes JMP 00920FCA
.text C:\Windows\system32\svchost.exe[1300] WinInet.dll!InternetOpenUrlA 75EDF3A4 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1300] WinInet.dll!InternetOpenUrlW 75F26DDF 5 Bytes JMP 00920FB9
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 01BC0F37
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 01BC0F52
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 01BC00B3
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 01BC0098
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 01BC0062
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 01BC0025
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 01BC0036
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 01BC007D
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 01BC0F88
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 01BC0FCA
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 01BC0FAF
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 01BC0047
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 01BC0F6D
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 01BC00D8
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 01BC000A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 01BC0FEF
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 01BC0F1C
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 01BD0053
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!system 7748804B 5 Bytes JMP 01BD0042
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 01BD0FD2
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_open 7748D106 5 Bytes JMP 01BD0FEF
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 01BD001D
.text C:\Windows\system32\svchost.exe[1528] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 01BD000C
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 01BA0065
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 01BA0039
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 01BA0FEF
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 01BA0054
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 01BA0FB2
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 01BA001E
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 01BA0FDE
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 01BA0FCD
.text C:\Windows\system32\svchost.exe[1528] WS2_32.dll!socket 76D836D1 5 Bytes JMP 01BB0FEF
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 008100BA
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 008100A9
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00810F19
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00810F34
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 0081007D
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00810FEF
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00810FD4
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00810F7E
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00810F99
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00810051
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00810062
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00810040
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 0081008E
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00810F08
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0081001B
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00810000
.text C:\Windows\system32\svchost.exe[1756] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00810F59
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 0094005F
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!system 7748804B 5 Bytes JMP 00940044
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00940033
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!_open 7748D106 5 Bytes JMP 0094000C
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00940FDE
.text C:\Windows\system32\svchost.exe[1756] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00940FEF
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 007B0076
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 007B0FCA
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 007B0FEF
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 007B0051
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 007B0091
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 007B001B
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 007B000A
.text C:\Windows\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 007B0036
.text C:\Windows\system32\svchost.exe[1756] WS2_32.dll!socket 76D836D1 5 Bytes JMP 007C0FEF
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 001300B8
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00130F68
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 001300FF
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 001300DA
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00130071
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 0013001B
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00130FCA
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 0013009D
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00130054
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00130FA8
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00130F97
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00130FB9
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00130082
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00130110
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00130000
.text C:\Windows\system32\svchost.exe[1968] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 001300C9
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00140042
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!system 7748804B 5 Bytes JMP 00140FAD
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00140FD2
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_open 7748D106 5 Bytes JMP 00140FEF
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 0014001D
.text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00140000
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00080FA5
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00080036
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00080047
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00080F94
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00080FE5
.text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[1968] WS2_32.dll!socket 76D836D1 5 Bytes JMP 00120000
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00A30079
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00A30F33
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00A300AF
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 00A30094
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00A30F55
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00A30FC3
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00A30F44
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00A30F66
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00A30F8D
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00A3002F
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00A30FA8
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00A30054
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00A300C0
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00A30FD4
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[2156] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00A30F18
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00A40FB9
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!system 7748804B 5 Bytes JMP 00A40044
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00A40029
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!_open 7748D106 5 Bytes JMP 00A40FEF
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00A40FD4
.text C:\Windows\system32\svchost.exe[2156] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00A40018
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 009D0F7C
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 009D0FA8
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 009D0F97
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 009D0F6B
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 009D0FDE
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[2156] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 009D0FB9
.text C:\Windows\system32\svchost.exe[2156] WS2_32.dll!socket 76D836D1 5 Bytes JMP 009E000A
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 00060F5E
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 000600A4
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00060F4D
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 000600DA
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00060F79
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00060011
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00060FCA
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00060089
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00060051
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00060F9E
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00060040
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00060FB9
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 0006006E
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 00060F3C
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[2236] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 000600BF
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 000B0FA6
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!system 7748804B 5 Bytes JMP 000B0FC1
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 000B000C
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!_open 7748D106 5 Bytes JMP 000B0FEF
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 000B0027
.text C:\Windows\System32\svchost.exe[2236] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 000B0FD2
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 0005004A
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00050FA8
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 0005002F
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00050F83
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00050FD4
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2236] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 00050FC3
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!GetStartupInfoW 770B1929 5 Bytes JMP 0001009D
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!GetStartupInfoA 770B19C9 5 Bytes JMP 00010F57
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateProcessW 770B1BF3 5 Bytes JMP 00010F2B
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateProcessA 770B1C28 5 Bytes JMP 000100C2
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!VirtualProtect 770B1DC3 5 Bytes JMP 00010F83
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateNamedPipeA 770B2EF5 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateNamedPipeW 770B5C0C 5 Bytes JMP 00010025
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreatePipe 770D8E6E 5 Bytes JMP 00010F68
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!LoadLibraryExW 770D9109 5 Bytes JMP 00010F94
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!LoadLibraryW 770D9362 5 Bytes JMP 00010FAF
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!LoadLibraryExA 770D94B4 5 Bytes JMP 00010051
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!LoadLibraryA 770D94DC 5 Bytes JMP 00010036
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!VirtualProtectEx 770DDBDA 5 Bytes JMP 00010078
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!GetProcAddress 770F903B 5 Bytes JMP 000100DD
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateFileW 770FAECB 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!CreateFileA 770FCE5F 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[2300] kernel32.dll!WinExec 77145CF7 5 Bytes JMP 00010F46
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegCreateKeyExA 75C439AB 5 Bytes JMP 00050F9B
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegCreateKeyA 75C43BA9 5 Bytes JMP 00050036
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegOpenKeyA 75C489C7 5 Bytes JMP 00050FEF
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegCreateKeyW 75C5391E 5 Bytes JMP 00050047
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegCreateKeyExW 75C541F1 5 Bytes JMP 00050058
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegOpenKeyExA 75C57C42 5 Bytes JMP 00050000
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegOpenKeyW 75C5E2B5 5 Bytes JMP 00050FD4
.text C:\Windows\Explorer.EXE[2300] ADVAPI32.dll!RegOpenKeyExW 75C67BA1 5 Bytes JMP 0005001B
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!_wsystem 77487F2F 5 Bytes JMP 00060FB2
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!system 7748804B 5 Bytes JMP 00060047
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!_creat 7748BBE1 5 Bytes JMP 00060011
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!_open 7748D106 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!_wcreat 7748D326 5 Bytes JMP 00060022
.text C:\Windows\Explorer.EXE[2300] msvcrt.dll!_wopen 7748D501 5 Bytes JMP 00060FD7
.text C:\Windows\Explorer.EXE[2300] WS2_32.dll!socket 76D836D1 5 Bytes JMP 01FC0000
.text C:\Windows\Explorer.EXE[2300] WININET.dll!InternetOpenA 75EDD690 5 Bytes JMP 02D10000
.text C:\Windows\Explorer.EXE[2300] WININET.dll!InternetOpenW 75EDDB09 5 Bytes JMP 02D1001B
.text C:\Windows\Explorer.EXE[2300] WININET.dll!InternetOpenUrlA 75EDF3A4 5 Bytes JMP 02D10036
.text C:\Windows\Explorer.EXE[2300] WININET.dll!InternetOpenUrlW 75F26DDF 5 Bytes JMP 02D10047
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Par ameters\Keys\0c6076e5e8eb
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Par ameters\Keys\0c6076e5e8eb@001d6e028932 0xEF 0xA9 0xFD 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Paramet ers\Keys\0c6076e5e8eb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Paramet ers\Keys\0c6076e5e8eb@001d6e028932 0xEF 0xA9 0xFD 0xB1 ...
---- EOF - GMER 1.0.15 ----
================================================== =======
Did i just read that this virus highjacked my anti-virus and is using it for access to everything?
Next, number 4) I initially made the mistake of right clicking on the tab that says (paraphrasing) 'run scan and create log'
here are the notes of what occurred afterwards:
As soon as the highjask this scan started, a window came up that said,
For some reason your system denied write access to the Hosts file. If any highjacked domains are
listed in this file, Highjack This may NOT be able to fix this.
If that happens, you need to edit the file yourself,
to do this, click Start, Run, and type: notepad C:\Windows\System32\drivers\etc\hosts
and press Enter. Find the line(s) HighjackThis reports and delete them. Save the file as 'hosts.'
(with quotes) and reboot.
For vista: simply, exit Highjack This, right click on the HighJack this icon,
choose 'Run as administrator.
BTW, when i attempted to 'Run the scan as administrator' by right clicking the tab;
nothing occurred when i right clicked it, so i ran it in standard fashion.
the Highjackthis program then ran for a short time before a 'notepad' window came up that said
it could not find the file, and asked if i wanted to create a new one.
then, i realized i needed to look on the desktop for an icon.
================================================== =======
Then, I right clicked and chose 'run as administrator', and it seemed to work fine,
and generated this report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:23 AM, on 2/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\ROBERT~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\ Ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{457DB226-EA4F-43DF-BE83-4AD0E8BB4423}: NameServer = 121.1.3.168 121.1.3.250
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\Windows\system32\SupportAppXL\cdrom_mon.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 8571 bytes
================================================== =======
I dont know if it is important, but it has never happened before. During the restarts after running the Gmer and HighjackThis programs, this speakers cracled when the microsoft sound began.
Thanks Broni,
and thank you coffee, 
rob
P.S. sorry, forgot this pat, as it was written on a page that had fallen under the bed. during the course of step one and two, my homepage showed as yahoo.com, but my browser was redirected to au.yahoo.com. Also, after step two my websites showed up right after entering their address in the browser window, but are now unpublished. At the bottom of the screen, to add to the ztomy.com and searchinvent.com, 'image-cad.mediaplex.com is also being displayed.
Last edited by diverdorr68; 07-02-2010 at 12:37 AM.
Reason: forgot this part
-
You're welcome
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Hey Brodi,
these guys have taken the gloves off. I went to paste your post in word so I could print it. All, as in ALL of my microsoft office 2007 is gone.
-
-
No problem on the printing. But, when i tried to download the combofix, Mcafee "claimed to have picked up a trojan and prevented the program from downloading. I then went to the other option, but it was in spanish. I couldnt make out anything for combofix, although i am sure it is there. then, i went back to the first option and tried again, and the page will not load
-
Disable McAfee (I hate that thing).
Download Combofix from HERE
I renamed the file for a reason.
