Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 5th, 2009, 7:04 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:51 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\User\Desktop\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7278073109
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8912 bytes
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am
Advertisement
Register to Remove

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby flashh4 » April 5th, 2009, 11:10 am

Hello humblee and welcome to the forums.

Please do not run any other programs with out my permission !!
Run all programs in the order posted !!!!!


My name is flashh4 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
4. Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
5. Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
6. Please post all request .......... not as a Attachment.

If you can do those things, everything should go smoothly.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Note: I am still in training at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

I will be back as soon as possible with a fix !!
In the mean time can you give me an Uninstall list please !!


  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.


*Notes*
1. It would be very helpful if you informed me of which Antivirus and Firewall you are running or if it's disabled.
2. There is a 5 day limit which you must respond to this topic or it will be closed. Then you will have to start a new topic.


Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 5th, 2009, 7:11 pm

I have two accounts on my computer, one is under USER and other under NEW
Here is the log list you asked for.. Thank You
I am also using McAfee...and Ad-Aware and Malwarebytes for my system


Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
After Dark Games
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BlazeDVDCopy 4.0
Broadcom Gigabit Integrated Controller
C-Major Audio
Compatibility Pack for the 2007 Office system
Conexant D110 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Resource CD
Dell Wireless WLAN Card
Downloader
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Impossible Golf
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) Processor ID Utility
Intel(R) PROSet/Wireless Software
iTunes
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
mDriver
mHlpDell
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mMHouse
Mozilla Firefox (3.0.8)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
OpenOffice.org 2.0
QuickSet
QuickTime
Remove Sudoku Master
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sierra Utilities
Snap 'n Share
Texas Instruments PCIxx21/x515 drivers.
Ulead DVD Player
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby flashh4 » April 6th, 2009, 7:53 am

Hi humblee, lets continue.
MOVE HIJACKTHIS

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from the desktop. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Please go to your 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.
  • Copy and paste HijackThis.exe to the new folder.
  • Right click on HijackThis.exe and select send to > desktop
  • This will make a new shortcut on your desktop.



NEXT



Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

...................................

If you want to keep your cookies !!

Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



NEXT



I see you have Malwarebytes installed, if you have not run it then please do so and post the log below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt





NEXT


I see you have ERUNT installed, if you have not run it then please do so it will make a backup in case we have a problem.

Backup the Registry

  • Download ERUNT
  • Save it to your desktop. Right click on the downloaded file(erunt.zip) and click Extract.Follow the prompts to extract the file.
  • Now click on the folder "erunt" and find and double click on the file called Erunt.exe
  • Click OK. Then Click OK again.
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it run until it's done.





NEXT




Download and Run Gmer
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip
Alternate download site 1 (http://hype.free.googlepages.com/gmer.zip)

* Unzip it to a folder on your desktop
* Double click on gmer.exe to launch GMER
* If asked, allow the gmer.sys driver load
* If it warns you about rootkit activity and asks if you want to run scan, click OK
* If you don't get a warning then
Click the rootkit tab
Click Scan
* Once the scan has finished, click copy
* Paste the log into notepad using Ctrl+V
* Save it to your desktop as gmerrk.txt
* Click on the >>> tab
* This will open up the rest of the tabs for you
* Click on the Autostart tab
* Click on Scan
* Once the scan has finished, click copy
* Paste the log into notepad using Ctrl+V
* Save it to your desktop as gmerautos.txt
* Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic



Please post next:
1. Malwarebytes' log
2. GMER logs both of these >> gmerautos.txt and gmerrk.txt
3. New HJT log

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 6th, 2009, 5:23 pm

each time i have gone to start these nothing would happen...

I also have been getting a blue screen with "stop: 0x0000008E"

i think that what ever is on my comp. is not allowing me to run these programs...

i will try again.

here is my hjt log: i can still run this. and do you think i should remove McAfee cause maybe this is preventing these programs from running?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:54 PM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Temporary Directory 1 for gmer(2).zip\gmer.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Temporary Directory 2 for gmer(2).zip\gmer.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Temporary Directory 3 for gmer(2).zip\gmer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\User\Desktop\gmer(2)\gmer.exe
C:\Documents and Settings\User\Desktop\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7278073109
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9058 bytes
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 7th, 2009, 4:54 am

I have now was able to run these, and get the logs for you so here they are. Also I would like to say thank you for walking me through this as well. Thank You.

MBam-LOG

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/7/2009 1:24:39 AM
mbam-log-2009-04-07 (01-24-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109473
Time elapsed: 25 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\UAC7a12.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\7zS71.tmp\MSIStart.exe (Trojan.SpywareStop) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\7zS71.tmp\MalwareRemovalBot\SpyCleaner.dll (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACcbldouni.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAChosvwcdo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjwbfagxv.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxewmrxll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACyxumhwrq.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACttpuyfqx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 7th, 2009, 4:58 am

The log for gmerrk is to many characters to post

so here is the gmerautos log

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2009-04-07 00:53:56
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = userinit.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
igfxcui@DLLName = igfxdev.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Apple Mobile Device /*Apple Mobile Device*/@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
EvtEng /*Intel(R) PROSet/Wireless Event Log*/@ = C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
ioloFileInfoList /*iolo FileInfoList Service*/@ = C:\Program Files\iolo\common\lib\ioloServiceManager.exe
ioloProductUpdate /*iolo Product Update Service*/@ = C:\Program Files\iolo\common\lib\ioloServiceManager.exe
ioloSystemService /*iolo System Service*/@ = C:\Program Files\iolo\common\lib\ioloServiceManager.exe
IOLO_SRV /*iolo System Guard*/@ = C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe /*file not found*/
Lavasoft Ad-Aware Service /*Lavasoft Ad-Aware Service*/@ = "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
mcmscsvc /*McAfee Services*/@ = C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
McNASvc /*McAfee Network Agent*/@ = "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"
McProxy /*McAfee Proxy Service*/@ = c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
McShield /*McAfee Real-time Scanner*/@ = C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
MpfService /*McAfee Personal Firewall Service*/@ = "C:\Program Files\McAfee\MPF\MPFSrv.exe"
NICCONFIGSVC /*NICCONFIGSVC*/@ = C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
RegSrvc /*Intel(R) PROSet/Wireless Registry Service*/@ = C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Intel(R) PROSet/Wireless Service*/@ = C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SCardSvr /*Smart Card*/@ = %SystemRoot%\System32\SCardSvr.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
wltrysvc /*Dell Wireless WLAN Tray Service*/@ = %SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@Broadcom Wireless Manager UIC:\WINDOWS\system32\WLTRAY.exe = C:\WINDOWS\system32\WLTRAY.exe
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@ApointC:\Program Files\Apoint\Apoint.exe = C:\Program Files\Apoint\Apoint.exe
@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@mcagent_exeC:\Program Files\McAfee.com\Agent\mcagent.exe /runkey /*file not found*/ = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey /*file not found*/
@IntelZeroConfig"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" = "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
@IntelWireless"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
@Ad-WatchC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe = C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Messenger (Yahoo!)"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Classes\ >>>
.scr@ = NOTEPAD.EXE %1
.hta@ = NOTEPAD.EXE %1

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/(null) =
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/(null) =
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll
McCtxMenu@{01576F39-90DE-4D6E-A068-5B20C22BAAEE} = c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
McCtxMenu@{01576F39-90DE-4D6E-A068-5B20C22BAAEE} = c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{7DB2D5A0-7241-4E79-B68D-6309F01C5231}C:\Program Files\McAfee\VirusScan\scriptsn.dll = C:\Program Files\McAfee\VirusScan\scriptsn.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\AZVENA.scr /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.yahoo.com/ = http://www.yahoo.com/
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\User\Start Menu\Programs\Startup = ERUNT AutoBackup.lnk

---- EOF - GMER 1.0.12 ----
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby flashh4 » April 7th, 2009, 7:42 am

Hi humblee, i need to see the whole GMER log, you can post it by spliting it up in different post .......... part 1...... part 2 and so on.
Also a new HJT log after the run of Gmer.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 8th, 2009, 5:31 am

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-04-08 02:24:59
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT Lbd.sys ZwCreateKey
SSDT Lbd.sys ZwSetValueKey

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwNotifyChangeKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryMultipleValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwReplaceKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRestoreKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnloadKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP AAD4A9D8 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP AAD4A9AE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP AAD4A9EE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP AAD4AA04 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP AAD4A9C2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP AAD4A934 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP AAD4A948 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP AAD4A986 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP AAD4A970 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP AAD4A95C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP AAD4A99A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP AAD4A920 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061854A 7 Bytes JMP AAD4AA9A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BC2 7 Bytes JMP AAD4AAF2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619460 7 Bytes JMP AAD4AAB0 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRenameKey 80619D34 7 Bytes JMP AAD4AA58 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7A2 7 Bytes JMP AAD4AA42 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A972 7 Bytes JMP AAD4AA6E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP AAD4AADC \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADBC 7 Bytes JMP AAD4AAC6 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP AAD4AA18 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA0A 7 Bytes JMP AAD4AB44 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCCA 5 Bytes JMP AAD4AB1C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3BE 5 Bytes JMP AAD4AB30 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4D8 5 Bytes JMP AAD4AB08 \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00840F71
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00840065
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00840054
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00840F97
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00840FC3
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00840F39
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00840F56
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008400C0
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0084009B
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008400D1
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00840FA8
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00840014
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00840080
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00840FD4
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00840025
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00840F1E
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00830FD4
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00830079
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00830025
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00830FE5
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00830FB2
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00830054
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00830FC3
.text C:\WINDOWS\system32\svchost.exe[128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0F, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 12, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0C, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A008C
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A004A
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F55
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009D
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C2
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D3
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029002C
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F8A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FA5
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290047
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB6
.text C:\WINDOWS\system32\svchost.exe[180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F64
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F75
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F90
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F38
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F16
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F27
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070032
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F49
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F4C
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00FC0F5D
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0F83
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC009D
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0082
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F16
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00AE
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC00C9
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC0065
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F31
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FB0FA5
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FB002C
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FB006C
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FB0051
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024A0F6E
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024A0058
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 024A0047
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024A0036
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024A0F9E
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024A009A
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024A0F53
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024A00E1
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024A00C6
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024A00F2
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 024A0025
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 024A0000
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 024A007D
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 024A0FB9
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 024A0FCA
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024A00B5
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 022C0040
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 022C0091
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 022C0025
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 022C000A
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 022C0076
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 022C0FEF
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 022C0FD4
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4C, 8A ]
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 022C0051
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 022D0000
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 022D0FDB
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 022D0FC0
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 022D0FAF
.text C:\WINDOWS\explorer.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01870FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025600B4
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025600A3
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 02560087
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0256006C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02560040
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025600EA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025600CF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02560F77
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0256010F
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02560F66
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0256005B
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02560FA5
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02560FCA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02560F88
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02550FC3
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02550043
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02550FD4
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02550F86
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02550F97
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 75, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02550FB2
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30055
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F61
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00E3002F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F72
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30014
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E3008D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30F46
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300C3
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F2B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E300DE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E30F8D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E30070
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E30FA8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E30FB9
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E300A8
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E20F83
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E20025
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E20F9E
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E20040
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03120000
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03120099
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03120FA5
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 03120FC0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0312007D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03120058
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03120F83
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03120F94
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03120F57
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03120F68
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03120F46
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03120FDB
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03120011
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 031200BE
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0312003D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860B7C 3 Bytes JMP 0312002C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA + 4 7C860B80 1 Byte [ 86 ]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C8623AD 3 Bytes JMP 031200EF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec + 4 7C8623B1 1 Byte [ 86 ]
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 8th, 2009, 5:32 am

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 030B0022
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 030B0F6C
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 030B0FD1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 030B0011
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 030B0033
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 030B0000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 030B0F91
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 2B, 8B ]
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 030B0FB6
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E50000
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03110000
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03110025
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03110FE5
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03110FD4
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0077003D
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F49
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 0077002C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770F6F
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770FA5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00770069
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770058
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700B0
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0077009F
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007700C1
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00770F8A
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00770F2E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00770FC0
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0077008E
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00760062
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00760FAF
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00760051
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F54
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80048
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00C80F6F
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FA5
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C8008A
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F43
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F03
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C8009B
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C800C0
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C80F94
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C80FDB
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C8006D
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C80F1E
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C7002F
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C70F90
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C70FA1
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C70FB2
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ E7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C70FC3
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1552] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30095
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30070
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00E3005F
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F97
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E3001E
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F7A
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E300C1
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300F7
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F69
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E30112
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E30039
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E300A6
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\svchost.exe[1552] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E300DC
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D10073
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D10058
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00D10FB6
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F1, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E20F9E
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[1756] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[1768] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1776] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1892] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\scardsvr.exe[1940] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2408] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[2500] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[2508] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[2520] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[2548] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[2576] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[2576] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2620] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2620] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[2632] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2676] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe[2708] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe[2772] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2800] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2860] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2892] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\hidfind.exe[3136] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Apoint\hidfind.exe[3136] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[3412] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\alg.exe[3412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Apoint\ApntEx.exe[3616] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3748] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3928] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Documents and Settings\User\Desktop\Tools\GMER\gmer.exe[4040] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\new\Favorites\Links\MyFreePaysite.com - Members Section - My Account.url:favicon
ADS C:\Documents and Settings\User\Desktop\User's Guide.pdf:SummaryInformation
ADS C:\Documents and Settings\User\Desktop\User's Guide.pdf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\User\Favorites\Drivers & Downloads.url:favicon
ADS C:\Documents and Settings\User\Favorites\Links\Suggested Sites.url:favicon

---- EOF - GMER 1.0.12 ----
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 8th, 2009, 5:35 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:52 AM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7278073109
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8924 bytes
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby flashh4 » April 10th, 2009, 10:16 am

Hi humblee, You had a Very Dangerous infection on this machine.
It allowed outsiders to steal passwords you use while on this machine, and complete access to any other data present...

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.



NEXT



:Remove bad HijackThis entries:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.



NEXT



Update Adobe Reader

  1. Please uninstall Adobe Reader XXX XXX xxx before installing the latest version by going to Start > Control Panel and double clicking on Add/Remove Programs. Locate Adobe Reader XX xxx xx and click on Change/Remove to uninstall it.
  2. Click here to download the latest version of Adobe Acrobat Reader.
  3. Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you.

    If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  4. Close your Internet browser and open it again.




NEXT


I need you to run an online scan for me. Choose one of these.

Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.




.......................................



PANDA ONLINE SCAN

Please go >here< to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply




Post next
1. One online scan
2. New HJT log

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby humblee » April 11th, 2009, 11:13 pm

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-11 20:07:22
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@advertising[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@adrevolver[2].txt
05346086 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{7BB4DF1D-ADF3-43D9-86FF-A307AE69855B}\RP2\A0002011.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:10 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\User\Local Settings\Temp\jkos-User\binaries\ScanningProcess.exe
C:\Documents and Settings\User\Desktop\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7278073109
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Shield 3\IoloSGCtrl.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10275 bytes
humblee
Active Member
 
Posts: 9
Joined: April 5th, 2009, 6:59 am

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby flashh4 » April 12th, 2009, 8:15 pm

Hi humblee, You can remove RSIT and ERUNT.

Since you already have Malwarebytes' installed i would keep this valuable tool. I run mine a few times a week to check my computer for anything it may have picked up.
You can continue to manually update and use MBAM as an on demand scanner.
There is also an upgrade to the paid version.
Instructions on use:
Click/open Malwarebytes' on your desk top, click the Update tab, click the box check for updates, use the option "perform quick scan".
# When the scan is complete, click OK, then Show Results to view the results.
# Make sure that everything is checked, and click Remove Selected



======================


Congratulation you are clean !!! :cheers:

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date
    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://update.microsoft.com/windowsupda ... ankspage=5 regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean

Let me know if you have read this and if no other problems we can archive this topic.


Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: WIN32ROOTKIT.TDSS, have redirected browser, invisible popups

Unread postby NonSuch » April 17th, 2009, 4:35 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware