Free Malware Removal Forum

by **meteorman** » November 2nd, 2009, 6:14 pm

Picked up some malware that has several symptoms:
FakeAlert popups were rampant - new AdAware is catching some of them, but they still persist.
I use MSN Explorer as browser - my Google search engine is disabled - it usually just goes to a blank white screen- other users on this machine (my family) get the same, or sometimes have their google searches hijacked to random sites.
Bing seems to work fine, as do most other web processes.
My adAware finds things (FakeAlert), but seems to be disabled when I go to check them to remove them (in AdAware).
this morning AdAware found and supposedly deleted, after a reboot, a file called dumenebi.dll
AdAware had given me a message about detecting a "malicious scan" running in the background.

I've tried loading MalWareBytes AntiMalware, but the mbam.exe file never shows up (the other files do show up).
Initially, at bootup, I got messages about calc.dll and ntuser.dll not being found, altho not anymore.

At one point, McAfee had mentioned something about umonde/C.
McAfee scan sometimes aborts right in the middle of a scan.

anyway, lots going wrong.
here's my HiJackThis log.
many thanks for any help you can provide.
/meteorman

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:19 AM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system tool] C:\Program Files\fcqpql\epmfsysguard.exe
O4 - HKLM\..\Run: [jelizojew] Rundll32.exe "c:\windows\system32\dumenebi.dll",a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [system tool] C:\Program Files\fcqpql\epmfsysguard.exe
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email3.fws.gov/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vnc.webex.com/client/wbs26-vzbp ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D32626-60AE-4ACB-93B7-EA2D39E2D568}: NameServer = 77.74.48.113
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: pigatedu.dll c:\windows\system32\wiwesedu.dll c:\windows\system32\yidopamo.dll c:\windows\system32\dumenebi.dll
O21 - SSODL: luwodimij - {8c9af294-9a09-43ca-9ef9-c5b2ab57976a} - c:\windows\system32\wiwesedu.dll (file missing)
O21 - SSODL: sowetahin - {a3c98ae5-2272-4413-abe3-10f8990a9488} - c:\windows\system32\dumenebi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {8c9af294-9a09-43ca-9ef9-c5b2ab57976a} - c:\windows\system32\wiwesedu.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {a3c98ae5-2272-4413-abe3-10f8990a9488} - c:\windows\system32\dumenebi.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 13869 bytes

by **Shaba** » November 5th, 2009, 7:49 am

Hi meteorman

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

by **meteorman** » November 5th, 2009, 4:48 pm

thank you for your reply!!
Here is ComboFix log, just completed:

ComboFix 09-11-05.01 - Mike 11/05/2009 14:30.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.1052 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\sadamoxon.bat
c:\documents and settings\Laura\My Documents\ZbThumbnail.info
c:\documents and settings\Matthew\My Documents\ZbThumbnail.info
c:\documents and settings\Mike\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Mike\Start Menu\Programs\XP_AntiSpyware
c:\recycler\S-1-5-21-1708537768-616249376-725345543-1003
c:\windows\Downloaded Program Files\Temp
c:\windows\jestertb.dll
c:\windows\system32\~.exe
c:\windows\system32\leyatito.dll
c:\windows\system32\nilujete.dll
c:\windows\system32\rimolodo.dll
c:\windows\system32\roriwega.dll
c:\windows\system32\silulawo.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\zivedomo.dll
c:\windows\Tasks\uoqvihpp.job
E:\autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://81.222.236.97
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 20:04 . 2009-11-05 20:04 -------- d-----w- c:\windows\LastGood
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-05 18:22 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 18:22 . 2009-11-05 18:26 -------- d-----w- c:\program files\Malwarebyte
2009-11-05 18:22 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Application Data\Yahoo!
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\jZip
2009-11-05 18:11 . 2009-11-05 18:12 -------- d-----w- c:\program files\jZip
2009-11-05 18:03 . 2009-11-05 18:03 -------- d-sh--w- c:\documents and settings\adminmike\PrivacIE
2009-11-05 18:00 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN Search Toolbar
2009-11-05 17:59 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Google
2009-11-05 17:59 . 2009-11-05 18:34 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN6
2009-11-05 17:59 . 2009-11-05 18:02 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSNInstaller
2009-11-05 17:59 . 2009-11-05 17:59 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Apple Computer
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Roxio
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\SiteAdvisor
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\SupportSoft
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\GTek
2009-11-05 14:57 . 2009-11-05 14:57 39424 --sh--w- c:\windows\system32\kohepiti.dll
2009-11-05 00:30 . 2009-11-05 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 22:48 . 2009-10-30 22:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 22:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-30 22:21 . 2009-10-30 22:21 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-10-30 22:21 . 2009-10-30 22:21 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-30 22:21 . 2009-10-30 22:21 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-10-30 22:21 . 2009-10-30 22:21 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-10-30 22:21 . 2009-10-30 22:21 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-30 22:21 . 2009-10-30 22:21 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-10-30 22:21 . 2009-10-30 22:21 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-10-30 22:18 . 2009-10-30 22:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-30 22:18 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-29 22:42 . 2009-10-30 21:56 -------- d-----w- c:\program files\RegDefense
2009-10-29 20:57 . 2009-10-29 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-29 20:57 . 2009-11-02 21:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 20:47 . 2009-10-29 20:47 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-29 20:47 . 2009-11-02 21:45 -------- d-----w- c:\program files\Registry Patrol
2009-10-29 02:42 . 2009-10-29 02:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\GTek
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-28 13:50 . 2009-10-28 13:54 -------- d-----w- c:\windows\tmp
2009-10-28 13:06 . 2009-10-28 22:35 -------- d-----w- c:\program files\BOGUS - fcqpql
2009-10-26 17:01 . 2009-10-26 17:22 -------- d-----w- c:\documents and settings\Mike\Application Data\AMICAS
2009-10-26 17:01 . 2009-10-26 17:13 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\AMICAS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 19:08 . 2005-05-07 14:44 46302 ----a-w- c:\documents and settings\Mike\Application Data\wklnhst.dat
2009-11-05 19:07 . 2005-05-07 14:12 -------- d-----w- c:\documents and settings\Mike\Application Data\MSN6
2009-11-05 18:26 . 2009-11-05 18:25 96 ----a-w- c:\documents and settings\adminmike\Application Data\wklnhst.dat
2009-11-05 18:12 . 2006-12-29 22:38 -------- d-----w- c:\program files\Yahoo!
2009-11-04 23:57 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSN6
2009-11-04 23:57 . 2005-05-31 23:34 -------- d-----w- c:\documents and settings\Matthew\Application Data\MSN6
2009-11-03 11:38 . 2005-05-07 18:20 -------- d-----w- c:\documents and settings\Laura\Application Data\MSN6
2009-11-01 20:43 . 2009-10-29 02:05 5634 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-30 22:17 . 2008-12-03 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-30 22:17 . 2005-10-11 21:35 -------- d-----w- c:\program files\Lavasoft
2009-10-28 13:25 . 2007-12-08 12:52 -------- d-----w- c:\program files\McAfee
2009-10-17 13:36 . 2008-06-08 00:49 -------- d-----w- c:\documents and settings\Laura\Application Data\Apple Computer
2009-10-05 15:15 . 2005-05-07 00:30 14422 ----a-w- c:\documents and settings\Laura\Application Data\wklnhst.dat
2009-09-28 20:50 . 2005-08-30 22:09 7744 ----a-w- c:\documents and settings\Matthew\Application Data\wklnhst.dat
2009-09-27 23:46 . 2006-01-29 21:51 1298 ----a-w- c:\documents and settings\Mason\Application Data\wklnhst.dat
2009-09-25 10:50 . 2009-09-25 10:48 -------- d-----w- c:\program files\iTunes
2009-09-25 10:48 . 2009-09-25 10:48 -------- d-----w- c:\program files\iPod
2009-09-25 10:48 . 2007-12-18 22:49 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 10:35 . 2009-09-25 10:35 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 23:27 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSNInstaller
2009-09-16 14:22 . 2007-12-08 12:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-12-08 12:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-12-08 12:54 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-13 20:05 . 2007-04-09 22:22 -------- d-----w- c:\documents and settings\Matthew\Application Data\Apple Computer
2009-09-11 20:33 . 2007-02-25 13:48 -------- d-----w- c:\documents and settings\Mike\Application Data\Apple Computer
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 20:07 . 2008-12-08 23:28 -------- d-----w- c:\program files\Safari
2009-09-11 20:01 . 2009-09-11 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 19:57 . 2009-09-11 19:56 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:21 . 2009-11-05 17:57 99368 ----a-w- c:\documents and settings\adminmike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 21:21 . 2009-10-29 02:03 99368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 20:56 . 2009-09-08 20:56 -------- d-----w- c:\documents and settings\Matthew\Application Data\SPORE
2009-09-08 20:55 . 2009-09-08 20:55 -------- d--h--r- c:\documents and settings\Matthew\Application Data\SecuROM
2009-09-07 16:49 . 2009-09-07 16:49 -------- d-----w- c:\documents and settings\Laura\Application Data\SPORE
2009-09-07 16:49 . 2009-09-07 16:49 -------- d--h--r- c:\documents and settings\Laura\Application Data\SecuROM
2009-09-07 16:42 . 2009-03-21 15:53 -------- d-----w- c:\program files\Electronic Arts
2009-09-07 16:38 . 2005-04-29 20:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 16:17 . 2005-04-29 20:31 -------- d-----w- c:\program files\Modem Helper
2009-09-07 16:16 . 2005-04-29 20:31 -------- d-----w- c:\program files\Modem On Hold
2009-09-07 14:29 . 2009-09-07 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-09-06 16:41 . 2009-08-28 18:27 4680 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-09-05 21:36 . 2008-12-31 00:23 71604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:07 . 2005-05-07 18:18 99368 ----a-w- c:\documents and settings\Laura\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 13:58 . 2008-08-07 22:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-29 08:08 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-10 19:36 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-08-03 16:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:02 . 2005-05-07 12:57 99368 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 18:32 . 2006-12-25 20:37 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 18:04 . 2004-08-10 18:13 77915 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-27 21:30 . 2009-08-27 21:30 2855 ----a-w- c:\windows\PIF\SPORESetup.PIF
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 19:32 . 2009-08-24 19:32 152576 ----a-w- c:\documents and settings\Laura\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 16:11 . 2009-08-23 16:11 75637184 ----a-w- C:\Quicken_Deluxe_2009.exe
2009-08-21 08:45 . 2008-10-07 07:21 100056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-19 13:50 . 2008-10-19 13:50 17285 ----a-w- c:\program files\Common Files\tybylot.dll
2008-10-19 13:50 . 2008-10-19 13:50 11503 ----a-w- c:\program files\Common Files\mysi._sy
2009-08-05 14:57 . 2009-08-05 14:57 45056 --sha-w- c:\windows\SYSTEM32\beyawota.dll
2009-08-04 14:56 . 2009-08-04 14:56 91648 --sha-w- c:\windows\SYSTEM32\fevebuso.dll
2009-07-30 02:53 . 2009-07-30 02:53 32768 --sha-w- c:\windows\SYSTEM32\lobeyari.exe
2009-08-04 02:56 . 2009-08-04 02:56 39424 --sha-w- c:\windows\SYSTEM32\nevikegu.dll
2009-08-04 02:56 . 2009-08-04 02:56 91648 --sha-w- c:\windows\SYSTEM32\pejafiwi.dll
2009-08-03 02:56 . 2009-08-03 02:56 39424 --sha-w- c:\windows\SYSTEM32\peyuweli.dll
2009-07-29 14:53 . 2009-07-29 14:53 25600 --sha-w- c:\windows\SYSTEM32\pigatedu.exe
2009-08-03 14:56 . 2009-08-03 14:56 39424 --sha-w- c:\windows\SYSTEM32\povelomo.dll
2009-08-05 02:56 . 2009-08-05 02:56 45056 --sha-w- c:\windows\SYSTEM32\putisove.dll
2009-07-30 14:53 . 2009-07-30 14:53 18432 --sha-w- c:\windows\SYSTEM32\vuzibede.exe
2009-08-04 14:56 . 2009-08-04 14:56 39424 --sha-w- c:\windows\SYSTEM32\yomezeta.dll
2009-08-05 02:56 . 2009-08-05 02:56 39424 --sha-w- c:\windows\SYSTEM32\yonohuje.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-04-29 26112]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 327680]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 36640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-03 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-31 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-5-7 204800]
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-9-20 238080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Games\\LieroX v0.56 Pack 1.9\\LieroX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\MSN Toolbar Suite\\DS\\02.05.0001.1119\\en-us\\bin\\WindowsSearch.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/30/2009 5:23 PM 64288]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [5/7/2005 12:24 PM 34916]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\SYSTEM32\DRIVERS\fantom.sys [3/10/2006 3:55 PM 39424]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S3 utdrv;utdrv;c:\windows\SYSTEM32\DRIVERS\utdrv.sys [12/2/2006 9:40 AM 25344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:21]

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
TCP: {C8D32626-60AE-4ACB-93B7-EA2D39E2D568} = 77.74.48.113
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{7165abd8-2157-4c3a-9ee7-546bb0d34740} - dudeheru.dll
HKLM-Run-jelizojew - c:\windows\system32\leyatito.dll
HKLM-Run-zamapatupa - nilujete.dll
SharedTaskScheduler-{8c9af294-9a09-43ca-9ef9-c5b2ab57976a} - c:\windows\system32\wiwesedu.dll
SharedTaskScheduler-{a3c98ae5-2272-4413-abe3-10f8990a9488} - c:\windows\system32\dumenebi.dll
SharedTaskScheduler-{fc84aeb2-9e42-4b7b-aa35-652d7ed80c44} - c:\windows\system32\leyatito.dll
SSODL-luwodimij-{8c9af294-9a09-43ca-9ef9-c5b2ab57976a} - c:\windows\system32\wiwesedu.dll
SSODL-sowetahin-{a3c98ae5-2272-4413-abe3-10f8990a9488} - c:\windows\system32\dumenebi.dll
SSODL-yabivopan-{fc84aeb2-9e42-4b7b-aa35-652d7ed80c44} - c:\windows\system32\leyatito.dll
AddRemove-RegDefense - c:\program files\RegDefense\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RoxioDragToDisc = "c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"?\Windows Desktop Search.lnk?????????????????????????C:\Documents and S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\

[HKEY_USERS\S-1-5-21-2063061788-1251265980-2345815548-1007\Software\SecuROM\License information*]
"datasecu"=hex:f1,37,4a,62,73,e7,08,9a,62,3d,66,9e,7e,99,6d,40,27,3d,92,93,8c,
9d,42,fa,e4,c0,eb,18,34,76,af,a1,04,c2,04,c2,da,18,37,1a,f4,1d,96,d8,72,af,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\Verizon Online\bin\mpbtn.exe
c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 15:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 20:25

Pre-Run: 16,265,424,896 bytes free
Post-Run: 18,699,010,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windoes XP Home Edition" /Fastdetect

- - End Of File - - D81B4BE019CDB33D7CD636E80ECE8477

After running ComboFix, my browser issue was "better" - a Google search didn't go immediately to a white screen - it gave me search results, but then clicking on any search link led me to some random bogus advertising pages.
Also, AFTER ComboFix, I was now able to load MalWareByte's Anti-Malware and run a scan.
I have attached the results of the Anti-Malware scan below. I hope that's OK. - Again, this scan occurred AFTER the ComboFix scan .

Thank you so much for your help.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/5/2009 6:57:08 PM
mbam-log-2009-11-05 (18-56-53).txt

Scan type: Quick Scan
Objects scanned: 148688
Time elapsed: 12 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_AntiSpyware (Rogue.XPAntiSpyware) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\nevikegu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSlubs.log (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSqqon.dll (Rootkit.TDSS) -> No action taken.

by **Shaba** » November 6th, 2009, 12:48 am

Please click this link-->Jotti

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\SYSTEM32\DRIVERS\utdrv.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

by **meteorman** » November 6th, 2009, 5:52 pm

Thank you.
Used Jotti first, then VirusTotal.
didn't see where a log file was created, but appeared all the scans reported nothing found.
copied and pasted screen elements below:

Jotti's malware scan
Filename: utdrv.sys
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 6 Nov 2009 22:48:06 (CET) Permalink

--------------------------------------------------------------------------------
Additional info
File size: 25344 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 42d67426c053a24f1935d50d03159da8
SHA1: e27f7013003cfe31ae2761672fe1cc70bdd5418f

Scanners
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing 2009-11-06 Found nothing

VirusTotal scan results:

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File utdrv.sys received on 2009.11.06 21:53:27 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 61 and 87 seconds.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.06 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.06 -
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.06 -
Avast 4.8.1351.0 2009.11.06 -
AVG 8.5.0.423 2009.11.06 -
BitDefender 7.2 2009.11.06 -
CAT-QuickHeal 10.00 2009.11.06 -
ClamAV 0.94.1 2009.11.06 -
Comodo 2864 2009.11.06 -
DrWeb 5.0.0.12182 2009.11.06 -
eTrust-Vet 35.1.7108 2009.11.06 -
F-Prot 4.5.1.85 2009.11.06 -
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.06 -
GData 19 2009.11.06 -
Ikarus T3.1.1.74.0 2009.11.06 -
Jiangmin 11.0.800 2009.11.06 -
K7AntiVirus 7.10.890 2009.11.06 -
Kaspersky 7.0.0.125 2009.11.06 -
McAfee 5794 2009.11.06 -
McAfee+Artemis 5794 2009.11.06 -
McAfee-GW-Edition 6.8.5 2009.11.06 -
Microsoft 1.5202 2009.11.06 -
NOD32 4580 2009.11.06 -
Norman 6.03.02 2009.11.06 -
nProtect 2009.1.8.0 2009.11.06 -
Panda 10.0.2.2 2009.11.06 -
PCTools 7.0.3.5 2009.11.06 -
Prevx 3.0 2009.11.06 -
Rising 21.54.44.00 2009.11.06 -
Sophos 4.47.0 2009.11.06 -
Sunbelt 3.2.1858.2 2009.11.06 -
Symantec 1.4.4.12 2009.11.06 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.06 -
VBA32 3.12.10.11 2009.11.06 -
ViRobot 2009.11.6.2025 2009.11.06 -
VirusBuster 4.6.5.0 2009.11.06 -
Additional information
File size: 25344 bytes
MD5...: 42d67426c053a24f1935d50d03159da8
SHA1..: e27f7013003cfe31ae2761672fe1cc70bdd5418f
SHA256: f7159b6f7e4f8557879e4b0f0e36280de63ed118d6fcb96a2fb0be78d41e8663
ssdeep: 384:KlgIUDsD+sKJlrEyWBv74wsp6fGGHcEDUXnhHE1I4cY76bCRSI:WGbJlAufB
Lbs

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5610
timedatestamp.....: 0x4544e5ce (Sun Oct 29 17:33:02 2006)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x4e56 0x4e80 6.34 e8ec0d61f08b65be90f927580dda0e9b
.rdata 0x5180 0x157 0x180 4.03 d8f3a1dcacafb305c641ef2ea8e2bcd3
.data 0x5300 0x118 0x180 0.00 0fe8b6ff202a2b826cb73fc50d089e9b
PAGE 0x5480 0x9e 0x100 3.97 58a05ca6cec3f2f7c06afb35feefd798
INIT 0x5580 0x526 0x580 5.34 efeb3ac7baa3662938a5de8e0759adab
.rsrc 0x5b00 0x318 0x380 2.94 48bc64b80b92f76f0d62452b7ed85aee
.reloc 0x5e80 0x426 0x480 5.63 c8100130684ad4e5f6c01d4411900a99

( 2 imports )
> ntoskrnl.exe: RtlInitUnicodeString, ExFreePool, ObfDereferenceObject, IoDeleteSymbolicLink, KeSetEvent, InterlockedExchange, InterlockedIncrement, ExAllocatePoolWithTag, _local_unwind2, InterlockedDecrement, IofCompleteRequest, ObReferenceObjectByHandle, ExEventObjectType, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoCreateDevice, RtlUnicodeStringToAnsiString, ObQueryNameString, RtlFreeAnsiString, IoFreeMdl, MmUnlockPages, MmMapLockedPagesSpecifyCache, MmProbeAndLockPages, IoAllocateMdl, RtlFreeUnicodeString, ObReferenceObjectByName, IoDriverObjectType, RtlTimeToTimeFields, ExSystemTimeToLocalTime, KeQuerySystemTime, PsGetCurrentThreadId, _except_handler3, IoCreateSymbolicLink, IoDeleteDevice, KeInitializeSpinLock
> HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock, KeGetCurrentIrql

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

2009-11-06 Found nothing 2009-11-06 Found nothing
2009-11-06 Found nothing

by **Shaba** » November 7th, 2009, 5:52 am

Download gmer.zip and save to your desktop.
alternate download site

Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

by **meteorman** » November 7th, 2009, 9:24 am

Thanks!
Downloaded and ran gmer.exe.
The first attempt crashed the computer and I got the dreaded blue screen.
Re-booted and tried again, and it worked.
Really appreciate your assistance !

This editor told me my message was too large (219478 characters), so I have attached the file.

by **Shaba** » November 7th, 2009, 9:38 am

Please copy/paste it to your next reply using multiple replies

by **meteorman** » November 8th, 2009, 10:09 am

OK. Sorry.
looks like it'll be in three parts.
thanks.

****gmer txt Part 1****

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-11-07 08:02:18
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.12 ----

SSDT Lbd.sys ZwCreateKey
SSDT Lbd.sys ZwSetValueKey

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A895C7B8 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A895C78E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A895C7CE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A895C7E4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A895C7A2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A895C714 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A895C728 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A895C766 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A895C750 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A895C73C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A895C77A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A895C7FD \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F55
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F66
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10040
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10F8D
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D1001B
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F1D
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D1006F
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10EE7
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F0C
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D1009B
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F44
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1000A
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10080
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D0003D
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D0002C
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D0001B
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00087
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00FDB
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ F0, 88 ]
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00062
.text C:\WINDOWS\SYSTEM32\services.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE000A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F55
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F66
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF004A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F13
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0065
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EEE
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0087
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0098
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF002F
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F3A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0076
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F7C
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FA8
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ DE, 88 ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0FA3
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0098
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA007D
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA006C
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0F92
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00DF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0F50
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA00FA
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA00B3
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00CE
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90025
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A9005B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90000
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A9004A
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ C9, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90062
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90051
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90040
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90095
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90084
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F28
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900C1
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900DC
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90073
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90014
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C900B0
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F79
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80000
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80036
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C8001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02010000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02010F44
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02010F5F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02010F7C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02010F97
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02010FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0201005E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02010F18
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02010EE7
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02010080
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0201009B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02010FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0201001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02010F29
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02010FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02010FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0201006F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D40FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D40051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D40FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D4000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D40040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D40FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D4002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D40FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D20000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01D10FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01D1000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01D10FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01D10FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F8F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065008E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065007D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650FD1
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006500BA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500F0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500DF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0065010B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650062
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006500A9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650047
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F61
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00640040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660093
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660078
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0066005B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006600E4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006600C9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0066011A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600FF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660F66
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006600AE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0066002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660014
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00660F81
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650047
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0065001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0065000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650062
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650FDB
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F3E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D003D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F6F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D002C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FA5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F17
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D005F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D00A6
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0095
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0EF2
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F8A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D004E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0011
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0084
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0F57
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ BC, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB006E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F43
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F54
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F10
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F21
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0EFF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB007F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F32
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660014
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00630000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00630036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[1748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[1748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0051
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00AE
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EFA
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F68
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F30
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FA8
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F83
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FC3
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290014
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\explorer.exe[2056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02010FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0060
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F61
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F2E
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F3F
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00A2
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EEE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F50
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0087
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F6B
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290028
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F7C
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290F97
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0FA1
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0FB2
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0080
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00C2
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F5A
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F6B
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B010E
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0065
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0025
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00B1
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0036
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00DF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0065
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0025
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B004A
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FA8
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003D0FEF
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCF9D 76BF10ED 37 Bytes [ 00, 8D, 7E, 64, EB, 8C, F6, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCFC3 76BF1113 16 Bytes [ EB, 24, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCFD4 76BF1124 125 Bytes [ 53, 56, 8B, F1, 57, 8D, 5E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFD0B3 76BF1203 15 Bytes CALL 76BD7996
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFD0C3 76BF1213 80 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + B 76BF1485 82 Bytes [ 00, 89, 32, C7, 42, 20, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + 5E 76BF14D8 22 Bytes [ 00, C9, C2, 08, 00, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + 76 76BF14F0 77 Bytes [ 04, 75, 38, 57, 8B, 79, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + C5 76BF153F 3 Bytes [ 74, 02, 02 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + C9 76BF1543 77 Bytes [ 56, 8B, 75, 14, 57, 56, E8, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 15 76BF1650 1 Byte [ 7D ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 17 76BF1652 74 Bytes [ 83, 4F, 70, 10, 8B, 45, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 62 76BF169D 24 Bytes CALL 76BF16BE C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 7D 76BF16B8 23 Bytes JMP 074FA734
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 95 76BF16D0 19 Bytes [ FF, 55, 8B, EC, 8B, 45, 0C, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 4 76BF176E 144 Bytes [ 45, 14, 0F, 85, 91, FF, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 95 76BF17FF 36 Bytes [ 57, FF, 75, 14, 89, 4E, 60, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + BA 76BF1824 133 Bytes CALL 76BF14A6 C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 140 76BF18AA 72 Bytes [ EC, 8B, 4D, 08, 80, B9, E5, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 189 76BF18F3 33 Bytes JMP 76BF1436 C:\WINDOWS\system32\PSAPI.DLL
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameA + 25 76BF1CEA 93 Bytes [ F3, A5, 8B, CA, 83, E1, 03, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 8 76BF1D48 51 Bytes [ 4D, 0C, 89, 01, 33, C0, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 3C 76BF1D7C 12 Bytes [ FF, FF, C7, 45, FC, 0E, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 49 76BF1D89 24 Bytes JMP 76BF1CFE C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 6 76BF1DA2 13 Bytes CALL 76BD91C3
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 14 76BF1DB0 18 Bytes [ 35, AC, 10, E7, 77, 8D, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 27 76BF1DC3 62 Bytes [ C0, 0F, 84, 18, 79, 01, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameW + B 76BF1E03 147 Bytes CALL 76BD76BB
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameA + 7 76BF1E97 37 Bytes [ 8D, 45, F8, 50, 53, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameA + 2D 76BF1EBD 67 Bytes CALL 76BD76BD
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + D 76BF1F01 133 Bytes [ 00, 00, 00, 68, C0, B2, EF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + 93 76BF1F87 39 Bytes [ 83, F8, FF, 8B, CB, 0F, 84, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + BD 76BF1FB1 17 Bytes [ 90, 90, 90, 90, 90, 83, 3D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + CF 76BF1FC3 33 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + F1 76BF1FE5 21 Bytes [ 45, 08, 39, 05, 60, B3, EF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 11 76BF205E 14 Bytes [ 88, 7C, 8B, 70, 04, E9, 87, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 20 76BF206D 28 Bytes JMP 76BE289E
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 3D 76BF208A 23 Bytes [ 6A, 01, 8D, 85, D8, FD, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 55 76BF20A2 41 Bytes JMP 76C0EA35
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 17 76BF20CC 31 Bytes [ 75, 10, FF, 75, 14, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 37 76BF20EC 64 Bytes [ FF, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 78 76BF212D 103 Bytes [ 6A, 00, FF, B6, A8, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameA + 63 76BF2195 75 Bytes CALL 76BE2D0E
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleInformation + 47 76BF21E1 74 Bytes [ EC, 53, 56, 8B, 75, 10, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleInformation + 92 76BF222C 130 Bytes [ 05, A4, 50, 88, 7C, E9, B3, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + B 76BF22AF 59 Bytes [ FF, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 47 76BF22EB 187 Bytes [ 51, 8D, 45, 08, 50, FF, 76, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 103 76BF23A7 174 Bytes CALL 3E74A8BB
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 1B2 76BF2456 32 Bytes [ FF, 8B, F8, 85, FF, 0F, 8C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 1D3 76BF2477 14 Bytes [ 83, 3E, 03, 0F, 84, 03, 69, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + A1 76BF3B17 59 Bytes CALL 76BF438B C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + DD 76BF3B53 2 Bytes [ 8B, 75 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + E0 76BF3B56 5 Bytes [ 85, C0, 74, 03, 50 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + E6 76BF3B5C 83 Bytes [ 08, 83, 7D, E4, 00, 74, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + 13A 76BF3BB0 40 Bytes [ C2, 14, 00, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessMemoryInfo + 1C 76BF3BD9 201 Bytes [ F9, 0C, 73, 08, 8D, 45, D4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessMemoryInfo + E6 76BF3CA3 28 Bytes [ C3, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 10 76BF3CC1 5 Bytes [ 4C, 11, DD, 77, 33 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 16 76BF3CC7 12 Bytes [ EB, 03, 33, C0, 40, E8, BE, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 23 76BF3CD4 4 Bytes [ 90, 90, 90, 90 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 28 76BF3CD9 61 Bytes [ FF, FF, FF, 93, 7C, E3, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetWsChanges + 22 76BF3D17 18 Bytes CALL 76BAD871
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetWsChanges + 35 76BF3D2A 6 Bytes [ FF, 75, E4, E8, 22, EC ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameW + 2 76BF3D31 61 Bytes [ FF, 83, 4D, FC, FF, 85, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameW + 40 76BF3D6F 135 Bytes [ 75, 1C, FF, 75, 18, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameA + 3A 76BF3DF7 2 Bytes [ 75, 07 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameA + 3D 76BF3DFA 131 Bytes [ 45, E4, 08, 00, 00, 00, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 3D 76BF3E7E 10 Bytes CALL 76B9298C
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 48 76BF3E89 9 Bytes [ 90, 90, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 52 76BF3E93 39 Bytes [ FF, 0B, 7E, E3, 77, 1E, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 7A 76BF3EBB 32 Bytes [ 8D, 45, 94, 50, 6A, 64, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 9B 76BF3EDC 46 Bytes [ C9, C2, 04, 00, 90, 90, 90, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 41 76BF4022 4 Bytes [ 00, 68, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 47 76BF4028 27 Bytes [ 04, 00, 0C, 00, 30, E8, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 63 76BF4044 17 Bytes [ 03, 00, 18, 01, 04, 00, 40, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 77 76BF4058 8 Bytes [ 05, 00, 10, 00, 32, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 80 76BF4061 87 Bytes [ 00, 08, 00, 46, 03, 08, 01, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + E4 76BF4234 51 Bytes [ 64, 00, 73, 00, 41, 00, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 118 76BF4268 19 Bytes [ 72, 00, 69, 00, 63, 00, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 12C 76BF427C 79 Bytes [ 69, 00, 64, 00, 73, 00, 54, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 17C 76BF42CC 1 Byte [ 61 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 17E 76BF42CE 7 Bytes [ 78, 00, 50, 00, 72, 00, 69 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66A1B 3D931671 159 Bytes [ 39, 5D, 08, 0F, 85, 87, DB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66ABB 3D931711 28 Bytes [ 00, 00, 89, 45, D8, 89, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66AD8 3D93172E 101 Bytes [ D4, 18, 00, 00, 00, C7, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66B3E 3D931794 28 Bytes [ FC, FF, 15, 28, 14, DD, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66B5B 3D9317B1 32 Bytes [ 15, 94, 14, DD, 77, 85, DB, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 4 3D9340C4 72 Bytes [ 45, F8, 8B, 75, 10, 8D, 7C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 4E 3D93410E 14 Bytes [ F0, 39, 5D, F0, 74, 46, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 5D 3D93411D 20 Bytes CALL 3D933D85 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 72 3D934132 10 Bytes [ 15, 70, 14, F6, 77, 8B, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 7D 3D93413D 54 Bytes [ 02, 8B, C8, 8B, D1, C1, E9, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 9 3D934F17 53 Bytes [ 50, 8D, 85, FC, F5, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 3F 3D934F4D 50 Bytes [ FF, 75, 10, 89, 45, E8, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 72 3D934F80 102 Bytes [ 8B, 45, 08, 89, 46, 10, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + D9 3D934FE7 23 Bytes CALL 3D934F6E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + F1 3D934FFF 4 Bytes [ FF, 02, 0D, 02 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 12 3D93526B 33 Bytes [ 00, 00, 00, 00, 00, 06, 06, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 34 3D93528D 14 Bytes [ 00, 00, 00, 14, 2C, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 43 3D93529C 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 48 3D9352A1 7 Bytes [ 00, 00, 00, 2C, 2C, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 50 3D9352A9 26 Bytes [ 00, 00, 00, 06, 06, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 22 3D93BE65 20 Bytes [ 00, 8D, BE, 90, 09, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 37 3D93BE7A 45 Bytes [ 00, 8B, 4E, 04, 8B, 01, 68, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 65 3D93BEA8 66 Bytes [ 50, 60, 8B, 86, 88, 09, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + A8 3D93BEEB 134 Bytes [ 66, 89, 5E, 20, 8B, 01, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 12F 3D93BF72 17 Bytes [ 52, 8D, 95, CC, FD, FF, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + A1 3D93CA47 57 Bytes [ 83, C0, 03, 83, E0, FC, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + DB 3D93CA81 21 Bytes [ 55, 8B, EC, 51, 51, 53, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + F1 3D93CA97 9 Bytes [ 66, 83, 3F, 5C, 59, 74, 35, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + FB 3D93CAA1 64 Bytes [ 0E, 83, C0, 03, 83, E0, FC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + 13C 3D93CAE2 41 Bytes CALL 3D8FB417
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 36 3D94007F 5 Bytes [ 75, 14, 56, E8, 15 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 3D 3D940086 40 Bytes [ FF, 3B, C7, 89, 03, 74, 09, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 66 3D9400AF 17 Bytes [ A1, AC, B2, EF, 77, 89, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 78 3D9400C1 55 Bytes [ 77, 89, 45, 94, 8B, 45, 14, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + B0 3D9400F9 31 Bytes [ 4E, 2F, FB, FF, 3B, C3, 89, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 29 3D94070B 5 Bytes [ 55, 8B, EC, 56, 57 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 2F 3D940711 30 Bytes [ 75, 08, 8B, F1, 8B, 46, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 4E 3D940730 43 Bytes [ 6A, 5A, 57, 6A, 03, E8, 32, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 7A 3D94075C 40 Bytes [ 22, 03, 09, 80, 74, 2E, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + A5 3D940787 103 Bytes [ 05, 21, 07, 00, 00, 8B, F0, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 26 3D9408CD 24 Bytes [ 46, 64, 8D, 4D, FC, 51, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 3F 3D9408E6 21 Bytes [ BE, E5, 06, 00, 00, 56, 6A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 55 3D9408FC 276 Bytes [ 01, 00, 00, 00, EB, 06, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 16B 3D940A12 1 Byte [ 08 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 16D 3D940A14 97 Bytes CALL 3D935EA5 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCanonicalizeUrlW + 4 3D940DFC 121 Bytes [ 46, 08, 85, C0, 74, 1E, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 26 3D940E76 29 Bytes [ 46, 08, 85, C0, 74, 0B, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 44 3D940E94 41 Bytes [ 83, 66, 10, 00, 59, 56, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 6E 3D940EBE 33 Bytes [ FC, 75, 07, 33, C0, E9, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 90 3D940EE0 71 Bytes [ 13, 74, 40, 8B, 43, 04, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + D8 3D940F28 48 Bytes [ 39, 8B, 4B, 0C, 85, C9, 74, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 4 3D940F7C 28 Bytes [ 75, FC, 59, 89, 46, 10, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 21 3D940F99 3 Bytes [ 02, 8B, F8 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 25 3D940F9D 9 Bytes JMP C93A02A4
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 2F 3D940FA7 21 Bytes [ FC, 83, E1, 03, F3, A4, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 45 3D940FBD 1 Byte [ EC ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + B 3D94330D 66 Bytes [ 47, 47, 66, 8B, 07, 66, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + 4E 3D943350 92 Bytes [ 00, 83, F8, 0A, 7D, 24, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + AB 3D9433AD 19 Bytes [ 4D, EC, 85, C9, 0F, 85, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + BF 3D9433C1 32 Bytes [ 80, 66, 39, F7, 80, 7D, 13, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + E0 3D9433E2 98 Bytes [ 8B, 5E, 14, 57, FF, 75, 0C, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 2E 3D9434AE 12 Bytes [ 8B, C2, 83, E0, 07, 56, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 3B 3D9434BB 5 Bytes [ 45, EC, 8B, 46, 1C ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 41 3D9434C1 5 Bytes [ 5D, F0, 83, C3, 04 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 47 3D9434C7 25 Bytes [ 45, DC, 89, 56, 1C, 66, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 61 3D9434E1 73 Bytes [ 00, 83, 65, F8, 00, 8B, 46, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 30 3D9463A6 2 Bytes [ FF, 55 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 33 3D9463A9 10 Bytes [ EC, 8B, 45, 0C, 83, 20, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 3E 3D9463B4 70 Bytes [ 80, 5D, C2, 08, 00, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 85 3D9463FB 62 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + C4 3D94643A 4 Bytes [ 88, B8, 00, 00 ]
.text ...

by **meteorman** » November 8th, 2009, 10:12 am

*** gmer .txt file. Part 2 ****

.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFile + 73 3D9465BE 24 Bytes [ 75, 08, 6A, 00, FF, 73, 10, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFile + 8C 3D9465D7 80 Bytes [ 15, 88, 14, F6, 77, EB, 07, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFile + DD 3D946628 62 Bytes [ 96, F6, 77, C7, 46, 04, 30, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFile + 11C 3D946667 158 Bytes [ 8D, 7D, F0, AB, AB, AB, AB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFile + 1BB 3D946706 5 Bytes [ 07, 80, EB, 10, 50 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionW + 59 3D947854 24 Bytes [ C0, 7C, 1B, 8B, 76, 34, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionW + 73 3D94786E 117 Bytes [ 8B, 00, EB, 02, 33, C0, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionW + E9 3D9478E4 9 Bytes [ 8B, CF, 89, 46, 1C, E8, 16, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionW + F3 3D9478EE 117 Bytes [ 85, C0, 5E, 7C, 0E, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionW + 169 3D947964 21 Bytes [ 75, F8, 89, 46, 18, 8B, 45, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoA + 28 3D9487B5 3 Bytes CALL 3C94893C
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoA + 2C 3D9487B9 5 Bytes [ FF, B5, D4, FE, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoA + 32 3D9487BF 44 Bytes CALL 3D98C0F5 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoA + 5F 3D9487EC 89 Bytes [ 35, BC, 14, 93, 3D, 57, 6A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoA + B9 3D948846 11 Bytes [ F0, 2B, 05, F8, 12, 9E, 3D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCloseHandle + 1E 3D9490A6 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCloseHandle + 2A 3D9490B2 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCloseHandle + 42 3D9490CA 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCloseHandle + 4B 3D9490D3 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCloseHandle + 51 3D9490D9 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoW + 1D 3D94BDB1 148 Bytes CALL 40992606
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoW + B2 3D94BE46 140 Bytes CALL 3D948462 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoW + 13F 3D94BED3 97 Bytes [ 85, C9, 7E, 2B, 8B, 54, 8F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoW + 1A1 3D94BF35 4 Bytes [ FF, B8, FF, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpQueryInfoW + 1A6 3D94BF3A 43 Bytes [ 00, 23, C8, 74, 0E, 3B, C8, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryDataAvailable + 28 3D94BFA7 15 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryDataAvailable + 39 3D94BFB8 28 Bytes CALL 3D94B627 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryDataAvailable + 56 3D94BFD5 6 Bytes [ 8B, CE, E8, FC, E4, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryDataAvailable + 5D 3D94BFDC 9 Bytes CALL 3D94A466 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryDataAvailable + 67 3D94BFE6 39 Bytes [ 45, F0, 3B, 45, F8, 0F, 8D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetUnlockRequestFile + B 3D94CB01 94 Bytes [ 10, F6, 77, 74, 09, 50, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetUnlockRequestFile + 6A 3D94CB60 109 Bytes [ 75, 10, 3B, F7, 0F, 85, 92, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetUnlockRequestFile + D8 3D94CBCE 7 Bytes [ 00, FF, 75, 08, 68, 00, 01 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetUnlockRequestFile + E0 3D94CBD6 32 Bytes CALL 3D948981 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetUnlockRequestFile + 101 3D94CBF7 37 Bytes [ 00, 8B, 45, F4, 8B, 00, 3B, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersA + 27 3D94CF6D 55 Bytes [ 8D, 48, 08, 39, 19, 0F, 84, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersA + 5F 3D94CFA5 1 Byte [ 4D ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersA + 61 3D94CFA7 30 Bytes [ 56, 8B, 75, 14, 85, F6, 89, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersA + 81 3D94CFC7 103 Bytes [ BA, 34, 90, F6, 77, 75, 05, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersA + E9 3D94D02F 26 Bytes [ 3F, C0, 00, 00, 3F, C0, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestA + 63 3D94D56B 103 Bytes [ 01, 01, 01, 01, 01, 52, 55, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestA + CB 3D94D5D3 1 Byte [ 1A ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestA + CD 3D94D5D5 51 Bytes [ 00, 00, 00, 00, 00, 7F, 93, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestA + 101 3D94D609 11 Bytes [ 7C, 56, 15, 0F, 0F, 13, 1A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestA + 10D 3D94D615 2 Bytes [ 00, 00 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectA + 8 3D94DEB6 65 Bytes [ FF, 04, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectA + 4A 3D94DEF8 43 Bytes [ F8, F9, F9, FF, F8, F9, F9, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectA + 76 3D94DF24 47 Bytes [ E5, E6, E6, FF, 01, 01, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectA + A6 3D94DF54 11 Bytes [ FA, FB, FB, FF, FA, FA, FA, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectA + B2 3D94DF60 63 Bytes [ F9, FA, FA, FF, F9, FA, FA, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlA + 11 3D94F339 71 Bytes [ 15, C8, 14, 93, 3D, 8B, 4D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlA + 5A 3D94F382 194 Bytes [ EB, BA, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlA + 11D 3D94F445 16 Bytes [ 74, 09, FF, 75, FC, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlA + 12E 3D94F456 101 Bytes [ 15, C8, 14, 93, 3D, 8B, C7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlA + 194 3D94F4BC 24 Bytes [ C7, 5F, 5E, C9, C2, 0C, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectW + 66 3D94F8C8 86 Bytes [ 55, 8B, EC, 83, 7D, 18, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectW + BD 3D94F91F 27 Bytes [ 8B, F0, 8B, C6, 5E, 5D, C2, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectW + D9 3D94F93B 106 Bytes [ 4D, 0C, 85, D2, 74, 0B, 3C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectW + 144 3D94F9A6 1 Byte [ 75 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConnectW + 146 3D94F9A8 69 Bytes [ 6A, 3A, 56, FF, 15, 7C, 11, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestW + 13 3D94FAD1 42 Bytes [ 3C, 39, 7F, 08, 0F, BE, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestW + 3E 3D94FAFC 68 Bytes CALL 3D8F698D
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestW + 84 3D94FB42 29 Bytes [ 60, 8B, C6, 5E, 5D, C2, 14, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestW + A2 3D94FB60 103 Bytes [ EC, 83, 7D, 08, 00, 74, 07, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestW + 10A 3D94FBC8 10 Bytes [ FF, 55, 8B, EC, 56, 8B, F1, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestW + 1C 3D94FC17 91 Bytes [ 45, 10, 0F, 85, 85, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestW + 78 3D94FC73 38 Bytes [ F7, 74, 0D, 39, 7E, 60, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestW + 9F 3D94FC9A 101 Bytes CALL 3D907D2C
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestW + 105 3D94FD00 42 Bytes [ 90, 8B, FF, 55, 8B, EC, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpOpenRequestW + 130 3D94FD2B 2 Bytes [ 7D, 08 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersW + 14 3D94FE5D 56 Bytes [ 45, B8, EB, 34, 39, 7D, BC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersW + 4D 3D94FE96 51 Bytes [ 45, 10, 8B, 45, 10, 83, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersW + 81 3D94FECA 107 Bytes [ C4, 0C, 39, 7D, 0C, 74, 38, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersW + ED 3D94FF36 39 Bytes [ EB, 28, C7, 45, FC, EB, 2E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpAddRequestHeadersW + 115 3D94FF5E 71 Bytes [ FA, FF, 5B, 39, 7D, EC, 74, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetInitializeAutoProxyDll 3D9514D8 103 Bytes [ 90, 90, 8B, FF, 55, 8B, EC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetInitializeAutoProxyDll + 68 3D951540 44 Bytes [ 5D, E4, 83, 7D, 10, 09, 7C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetInitializeAutoProxyDll + 95 3D95156D 18 Bytes [ 8B, F0, 89, 75, D0, EB, 3E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetInitializeAutoProxyDll + A8 3D951580 144 Bytes CALL 3D92986D
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetInitializeAutoProxyDll + 139 3D951611 43 Bytes [ 75, CC, FF, 15, 70, 16, DD, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlA + 4D 3D954975 28 Bytes CALL 3D93F751 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlA + 6A 3D954992 26 Bytes [ 55, 8B, EC, 56, 8D, 45, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlA + 85 3D9549AD 75 Bytes [ F6, 0F, 8D, F9, CF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlA + D1 3D9549F9 18 Bytes CALL 3D93D020 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlA + E4 3D954A0C 5 Bytes [ 90, 90, 90, 90, 90 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStream + 1A 3D95632D 131 Bytes JMP 3D955E37 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamA + 6B 3D9563B1 2 Bytes [ 22, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamA + 70 3D9563B6 147 Bytes [ 35, 44, 11, DD, 77, 68, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamA + 104 3D95644A 103 Bytes [ FF, 85, C0, 0F, 84, 8A, DD, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamA + 16C 3D9564B2 44 Bytes [ 00, 00, A1, 40, 66, E4, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamA + 199 3D9564DF 45 Bytes [ 68, A0, 97, DD, 77, 8D, 4D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryA + 9D 3D95680C 37 Bytes [ FF, 3B, C6, 89, B5, E8, FD, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryA + C3 3D956832 47 Bytes [ C9, C2, 04, 00, 90, 90, 53, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryA + F3 3D956862 5 Bytes [ 6E, 00, 64, 00, 6F ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryA + F9 3D956868 29 Bytes [ 77, 00, 73, 00, 20, 00, 4E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryA + 117 3D956886 3 Bytes [ 72, 00, 73 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFileW + 1A 3D958BF0 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFileW + 23 3D958BF9 36 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFileW + 48 3D958C1E 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFileW + 56 3D958C2C 22 Bytes [ 30, 00, 00, 80, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFileW + 6E 3D958C44 12 Bytes [ 48, 00, 00, 00, 60, C0, 08, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryFileW + 22 3D958CB6 8 Bytes [ 00, 00, 00, 00, 00, 00, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryFileW + 2C 3D958CC0 7 Bytes [ 01, 00, 53, 00, 74, 00, 72 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryFileW + 34 3D958CC8 1 Byte [ 69 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryFileW + 36 3D958CCA 7 Bytes [ 6E, 00, 67, 00, 46, 00, 69 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryFileW + 3E 3D958CD2 37 Bytes [ 6C, 00, 65, 00, 49, 00, 6E, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateEx + B 3D958F8C 20 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateEx + 20 3D958FA1 1 Byte [ 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateEx + 23 3D958FA4 30 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateEx + 43 3D958FC4 27 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateEx + 5F 3D958FE0 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryA 3D959294 37 Bytes [ 49, 6E, 74, 65, 72, 6E, 65, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryA + 29 3D9592BD 6 Bytes [ 8B, FF, 55, 8B, EC, 51 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExA + 6 3D9592C4 62 Bytes [ 53, 56, 57, FF, 75, 08, 33, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExA + 45 3D959303 29 Bytes [ 15, B8, 14, 93, 3D, 89, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExA + 63 3D959321 38 Bytes [ C0, 74, C3, 8B, 5D, 0C, 3B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExA + 8A 3D959348 1 Byte [ 56 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExA + 8C 3D95934A 12 Bytes [ C7, 46, 44, 01, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExA + 3C 3D959886 87 Bytes [ D1, F8, 03, C0, 50, 8D, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExA + 94 3D9598DE 67 Bytes [ FF, D6, EB, 06, 8B, BD, 6C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExA + D8 3D959922 43 Bytes [ F3, 77, 00, 00, 8B, F8, 3B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExA + 104 3D95994E 123 Bytes [ 00, 3B, C3, 89, 85, 70, FD, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExA + 180 3D9599CA 41 Bytes [ 05, 00, 00, 8B, C7, 8D, 50, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFile + 2D 3D95A61E 9 Bytes [ F3, AB, 59, C7, 85, FC, FB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryFile + 37 3D95A628 52 Bytes [ 04, 00, 00, C7, 85, 28, FC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStreamEx + 1F 3D95A65D 10 Bytes [ FF, 8B, C1, 66, A5, 8B, B5, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStreamEx + 2A 3D95A668 34 Bytes JMP D053336F
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStreamEx + 4D 3D95A68B 15 Bytes [ 85, C0, 75, 21, 8B, 85, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStreamEx + 5D 3D95A69B 4 Bytes [ 85, 08, FC, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ReadUrlCacheEntryStreamEx + 62 3D95A6A0 43 Bytes [ A3, CC, 8C, E4, 77, 8B, 85, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryStream + 1E 3D95A6EF 40 Bytes [ FF, 78, 00, 00, 00, C7, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryStream + 47 3D95A718 7 Bytes JMP D053341F
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryStream + 4F 3D95A720 9 Bytes [ FF, F3, A5, 8B, C8, 8D, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryStream + 59 3D95A72A 125 Bytes [ FF, 50, 53, 8D, 85, C0, F7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UnlockUrlCacheEntryStream + D7 3D95A7A8 11 Bytes [ 67, 00, 54, 00, 72, 00, 61, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTime + A 3D95AC73 166 Bytes [ 6A, 0C, 68, 68, 05, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTime + B1 3D95AD1A 37 Bytes [ 00, 81, 7D, 08, 50, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTime + D7 3D95AD40 31 Bytes [ 00, 00, 53, 89, 5D, F8, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTime + F7 3D95AD60 48 Bytes [ 50, FF, 75, 18, 8D, 45, EC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTime + 128 3D95AD91 11 Bytes [ 6A, 0D, 68, D3, 05, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenA + 1A 3D95D6AA 23 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenA + 32 3D95D6C2 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenA + 3A 3D95D6CA 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenA + 43 3D95D6D3 3 Bytes [ 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenA + 48 3D95D6D8 32 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenW + 4E 3D95DB57 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenW + 69 3D95DB72 23 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenW + 83 3D95DB8C 21 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenW + 99 3D95DBA2 1 Byte [ 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenW + 9C 3D95DBA5 17 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetStatusCallback + 7 3D95DCCF 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetStatusCallback + 12 3D95DCDA 3 Bytes [ 00, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetStatusCallback + 16 3D95DCDE 34 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetStatusCallback + 39 3D95DD01 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetStatusCallback + 42 3D95DD0A 37 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestA + 37 3D95EEC0 115 Bytes [ 80, 22, E0, 77, 96, 22, E0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestA + AB 3D95EF34 20 Bytes [ 5D, 23, E0, 77, 73, 23, E0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestA + C9 3D95EF52 1 Byte [ 8D ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestA + CB 3D95EF54 44 Bytes [ 04, 83, C0, 04, 50, 68, 5A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestA + F8 3D95EF81 41 Bytes [ 00, 00, 00, 10, 24, DE, 77, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlA + 25 3D95F3C9 22 Bytes [ 69, 04, 33, C2, 23, C7, 33, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlA + 3C 3D95F3E0 514 Bytes [ 69, 18, 03, DA, 33, C3, 23, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlA + 23F 3D95F5E3 79 Bytes [ 69, 1C, 03, F5, 03, FB, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlA + 28F 3D95F633 37 Bytes [ C3, 03, FD, 05, FA, 27, A1, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlA + 2B5 3D95F659 8 Bytes [ C7, 03, F7, 8B, 69, 18, 03, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerW + 27 3D960977 113 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerW + 99 3D9609E9 79 Bytes CALL 3D96BE60 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerW + E9 3D960A39 13 Bytes [ B8, E6, 06, 00, 00, EB, 3D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerW + F7 3D960A47 95 Bytes [ 30, 33, C0, 66, 8B, 86, F4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerW + 157 3D960AA7 51 Bytes [ F8, 85, FF, 74, 06, 56, E8, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCombineUrlW 3D960AF5 3 Bytes [ 90, 90, 90 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCombineUrlW + 4 3D960AF9 42 Bytes [ FF, 55, 8B, EC, 56, 57, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCombineUrlW + 30 3D960B25 250 Bytes [ 05, 6A, 0E, 58, EB, 18, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCombineUrlW + 12B 3D960C20 27 Bytes [ 35, 8C, BD, EF, 77, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCombineUrlW + 147 3D960C3C 38 Bytes CALL 3D95E08E C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryInfoA + 1A 3D962475 90 Bytes [ 83, C4, 10, 33, C0, E9, E7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryInfoA + 75 3D9624D0 56 Bytes [ 51, 75, 65, 72, 79, 53, 79, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryInfoA + AE 3D962509 23 Bytes [ 8B, F8, 56, FF, 15, 58, 13, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryInfoA + C6 3D962521 13 Bytes [ 83, 7E, 18, 00, 0F, 84, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryInfoA + D4 3D96252F 114 Bytes CALL 3D938268 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerA + 2 3D962DA1 25 Bytes [ 75, F4, FF, 15, 58, 13, E7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerA + 1C 3D962DBB 93 Bytes CALL 3D973290 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerA + 39 3D962E19 94 Bytes JMP 3D936371 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerA + 98 3D962E78 31 Bytes JMP 3D947383 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerA + B8 3D962E98 30 Bytes [ 0E, 8B, 01, 56, FF, 50, 3C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerA + D8 3D962EB8 19 Bytes JMP 3D94A42E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheContainerA + EC 3D962ECC 8 Bytes JMP 3D950E32 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryW + F7 3D96317C 44 Bytes JMP 3D95BC30 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryW + 124 3D9631A9 88 Bytes [ 00, 00, 8B, 41, 5C, E9, 69, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryW + 17D 3D963202 23 Bytes [ 15, 84, 11, E7, 77, E9, 7F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryW + 195 3D96321A 1 Byte [ 85 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryW + 197 3D96321C 45 Bytes [ 75, 09, B8, A5, 06, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExW + E 3D963357 13 Bytes [ 17, FF, 71, 54, BF, 1A, 07, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExW + 1C 3D963365 5 Bytes [ 50, 56, 68, 5E, 01 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExW + 23 3D96336C 124 Bytes [ 57, EB, 13, 68, A0, BB, 0D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExA + 68 3D9633E9 55 Bytes [ 85, C0, 74, 33, 8B, 4D, 1C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExA + A0 3D963421 33 Bytes [ 4D, F8, 51, 8B, CF, E8, 26, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExA + C2 3D963443 61 Bytes JMP 3D94E294 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExA + 100 3D963481 97 Bytes JMP 3D960467 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetReadFileExA + 162 3D9634E3 78 Bytes [ 17, 03, 09, 80, 74, 0F, 3D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExW + A9 3D964B7A 1 Byte [ E0 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExW + AB 3D964B7C 87 Bytes [ 15, E4, 11, DD, 77, E9, 6C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExA + 4 3D964BD4 151 Bytes [ 48, 04, 39, 08, 74, 0C, 51, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExA + 9C 3D964C6C 1 Byte [ F6 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExA + 9F 3D964C6F 3 Bytes [ 99, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExA + A3 3D964C73 33 Bytes [ 83, FF, 0F, 77, 35, 8D, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieExA + C5 3D964C95 24 Bytes [ 17, 57, 8D, 45, DC, 56, 50, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieExW + 43 3D965FC8 96 Bytes [ 70, 78, FF, 15, C4, 11, 41, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieExW + A4 3D966029 305 Bytes [ 47, 65, 74, 50, 69, 78, 65, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieExW + 1D6 3D96615B 35 Bytes [ 47, 65, 74, 54, 65, 78, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieExW + 1FA 3D96617F 98 Bytes [ 78, 50, 6F, 69, 6E, 74, 49, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieExW + 25D 3D9661E2 7 Bytes [ 47, 65, 74, 54, 65, 78, 74 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredW + 56 3D9663C6 57 Bytes [ 56, 69, 65, 77, 70, 6F, 72, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredW + 90 3D966400 105 Bytes [ 6D, 43, 6C, 69, 70, 4C, 69, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredW + FA 3D96646A 3 Bytes [ 50, 69, 65 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredW + FE 3D96646E 4 Bytes [ 50, 6C, 61, 79 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredW + 103 3D966473 10 Bytes [ 6E, 68, 4D, 65, 74, 61, 46, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IncrementUrlCacheHeaderData + 23 3D967212 32 Bytes [ 89, 41, 1C, 8B, 82, 88, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IncrementUrlCacheHeaderData + 44 3D967233 24 Bytes [ 00, 0F, B7, 01, 83, C0, 03, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IncrementUrlCacheHeaderData + 5D 3D96724C 126 Bytes [ 36, 3B, 35, 0C, 40, F5, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IncrementUrlCacheHeaderData + DC 3D9672CB 1 Byte [ 56 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IncrementUrlCacheHeaderData + DE 3D9672CD 101 Bytes [ D8, FF, 15, B0, 11, F1, 77, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsHostInProxyBypassList + 4 3D967A3D 62 Bytes [ 4D, 0C, 85, C9, 74, 19, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsHostInProxyBypassList + 43 3D967A7C 71 Bytes [ DA, 57, 89, 55, F8, 0F, 84, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsHostInProxyBypassList + 8C 3D967AC5 20 Bytes CALL 3D967B4D C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsHostInProxyBypassList + A2 3D967ADB 3 Bytes [ A1, 8B, 01 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsHostInProxyBypassList + A6 3D967ADF 20 Bytes [ 83, 7D, 0C, 02, 0F, 84, A3, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntry + 46 3D967D80 81 Bytes [ FF, FF, FF, FF, AB, 2C, F3, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntry + 98 3D967DD2 131 Bytes [ FF, 33, F6, 89, 30, 33, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntry + 11C 3D967E56 15 Bytes [ BD, A4, FD, FF, FF, 89, BD, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntry + 12C 3D967E66 8 Bytes [ 8B, C8, 3B, CF, 89, 8D, A0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntry + 135 3D967E6F 28 Bytes [ FF, 74, 1A, 83, 39, 28, 72, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossingW + 4 3D968827 13 Bytes [ 85, D4, FC, FF, FF, 03, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossingW + 12 3D968835 254 Bytes [ FF, B5, EC, FC, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossingW + 112 3D968935 187 Bytes [ 46, 10, 03, C7, 8B, 08, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossingW + 1CE 3D9689F1 45 Bytes [ 89, 45, FC, 75, 5B, C7, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossingW + 1FD 3D968A20 59 Bytes [ FF, 24, 8D, 53, 05, 96, 3D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerW + 65 3D9693DA 32 Bytes CALL 3D957461 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerW + 86 3D9693FB 9 Bytes [ 5D, 08, 85, DB, 56, 57, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerW + 90 3D969405 11 Bytes [ 0C, 85, F6, 74, 64, 56, C6, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerW + 9C 3D969411 4 Bytes [ FF, FF, 89, 45 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerW + A1 3D969416 37 Bytes [ 80, 3E, 00, 74, 5F, 56, E8, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryGroupW + 68 3D969699 40 Bytes [ 33, C0, EB, F7, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryGroupW + 91 3D9696C2 16 Bytes CALL 3D95B4A3 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryGroupW + A2 3D9696D3 93 Bytes [ 65, 08, 00, 56, 57, 53, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryGroupW + 100 3D969731 34 Bytes [ FF, 15, 70, 13, F6, 77, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheEntryGroupW + 123 3D969754 31 Bytes [ 00, 00, 68, 0B, 01, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacyGetZonePreferenceW + 7C 3D970EC5 24 Bytes [ 66, 83, 24, 47, 00, E9, 1A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacyGetZonePreferenceW + 95 3D970EDE 11 Bytes [ F6, 45, 0A, 01, 89, 06, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacyGetZonePreferenceW + A1 3D970EEA 71 Bytes [ 53, FF, 15, F0, 10, FE, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacyGetZonePreferenceW + E9 3D970F32 10 Bytes [ D6, FF, 73, 08, 8D, 45, E4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacyGetZonePreferenceW + F4 3D970F3D 226 Bytes [ 73, 0C, 8D, 45, DC, 50, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerA + 2 3D97260A 17 Bytes [ 51, 8D, 88, E4, 01, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerA + 14 3D97261C 83 Bytes [ 50, 8D, 85, F4, FE, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerA + 68 3D972670 5 Bytes [ 85, C0, 74, 16, 8B ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerA + 6E 3D972676 20 Bytes CALL 79972679
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheContainerA + 84 3D97268C 1 Byte [ F0 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamW + 2 3D972C17 41 Bytes [ 8B, D8, 85, DB, 0F, 85, D1, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamW + 2D 3D972C42 52 Bytes [ 8D, 85, 54, FE, FF, FF, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamW + 62 3D972C77 9 Bytes [ 8D, 74, FE, FF, FF, 89, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamW + 6C 3D972C81 32 Bytes [ FF, 74, 24, 8B, 50, 1C, 51, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!RetrieveUrlCacheEntryStreamW + 8E 3D972CA3 27 Bytes [ FF, 01, 00, 00, 00, F6, 45, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DetectAutoProxyUrl + C 3D976947 232 Bytes [ 00, 66, 3B, C7, 0F, 84, A4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DetectAutoProxyUrl + F5 3D976A30 19 Bytes [ 00, 5D, C2, 14, 00, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DetectAutoProxyUrl + 10A 3D976A45 81 Bytes [ A1, 88, 61, E4, 77, 53, 89, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DetectAutoProxyUrl + 15C 3D976A97 39 Bytes [ 68, 19, 00, 02, 00, 68, 48, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DetectAutoProxyUrl + 184 3D976ABF 16 Bytes [ 15, D8, 15, DD, 77, 8D, 85, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryW + C 3D979896 3 Bytes [ 00, 00, 24 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryW + 10 3D97989A 3 Bytes [ 00, 00, 5F ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryW + 14 3D97989E 3 Bytes [ 52, 00, 65 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryW + 18 3D9798A2 3 Bytes [ 66, 00, 65 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheEntryW + 1C 3D9798A6 3 Bytes [ 72, 00, 72 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExA + 49 3D983D83 23 Bytes [ 00, 8A, 51, 04, B8, 02, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExA + 61 3D983D9B 10 Bytes [ 0F, 84, 96, 00, 00, 00, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExA + 6C 3D983DA6 105 Bytes [ 00, 8B, BE, 88, 02, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExA + D6 3D983E10 84 Bytes [ 68, 00, 02, 00, 00, 56, 6A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExA + 12B 3D983E65 315 Bytes [ 4F, 28, F6, C5, 40, 74, 09, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExW + 1 3D9845C4 45 Bytes [ 86, 18, 02, 00, 00, 01, 58, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExW + 30 3D9845F3 90 Bytes [ 8B, 87, 80, 01, 00, 00, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExW + 8B 3D98464E 116 Bytes [ 11, 89, 55, C8, 3B, D3, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExW + 100 3D9846C3 28 Bytes [ 15, F4, 15, DD, 77, 50, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheEntryExW + 11D 3D9846E0 1 Byte [ 75 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDialW + 4D 3D9A0324 42 Bytes CALL 3D99F0A5 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDialW + 78 3D9A034F 3 Bytes [ 00, 74, 05 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDialW + 7C 3D9A0353 12 Bytes CALL 0525DA57
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDialW + 89 3D9A0360 18 Bytes [ 50, 65, 72, 55, 73, 65, 72, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDialW + 9C 3D9A0373 45 Bytes [ 55, 8B, EC, 81, EC, 10, 01, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetDial + 39 3D9A080E 67 Bytes [ 00, 00, 3B, C6, A3, E4, 12, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetHangUp + D 3D9A0852 15 Bytes [ FF, 15, D0, 14, 93, 3D, A1, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetHangUp + 1D 3D9A0862 103 Bytes [ FF, 33, C0, EB, A9, 90, 53, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetHangUp + 85 3D9A08CA 53 Bytes [ CE, 89, 46, 24, 89, 46, 28, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetHangUp + BB 3D9A0900 49 Bytes [ 83, CC, FF, FF, 5E, C3, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetHangUp + ED 3D9A0932 7 Bytes [ 85, C0, 0F, 85, 65, F8, 05 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodial + 2B 3D9A096E 29 Bytes [ 85, C0, C7, 45, F4, 60, 86, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodial + 49 3D9A098C 34 Bytes [ 15, 78, 13, 93, 3D, 3B, C3, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodial + 6D 3D9A09B0 16 Bytes [ 89, 46, 10, 39, 1D, C8, 1A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodial + 7F 3D9A09C2 2 Bytes [ CC, 14 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodial + 83 3D9A09C6 25 Bytes [ 8D, 7E, 14, 8B, CF, 89, 5D, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialHangup + 20 3D9A0E01 96 Bytes [ FF, 59, 8B, C8, 85, C9, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialHangup + 81 3D9A0E62 48 Bytes [ 8B, 07, 8B, 8D, F0, FD, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialHangup + B2 3D9A0E93 4 Bytes [ FF, C9, C3, 90 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialHangup + B7 3D9A0E98 37 Bytes [ 01, 00, 00, 00, 00, 00, 10, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialCallback + 22 3D9A0EBE 34 Bytes CALL CB9A0EC0
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialCallback + 45 3D9A0EE1 47 Bytes [ DC, BA, FF, FF, 3B, C3, 89, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialCallback + 75 3D9A0F11 15 Bytes [ B5, EC, FD, FF, FF, 57, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialCallback + 85 3D9A0F21 92 Bytes [ F0, FD, FF, FF, 0F, 8D, C2, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAutodialCallback + E2 3D9A0F7E 58 Bytes JMP 3D9A2DF4 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGoOnline + 6F 3D9A1283 35 Bytes [ FF, 0F, B7, 4A, 10, E9, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGoOnline + 93 3D9A12A7 90 Bytes JMP 3D9A0C9D C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGoOnline + EE 3D9A1302 18 Bytes [ 6A, FF, 53, 8D, 85, 78, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGoOnline + 101 3D9A1315 126 Bytes JMP 3D9A0DA5 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGoOnline + 182 3D9A1396 22 Bytes CALL 3D99E2BE C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DllInstall + 19 3D9A32E1 43 Bytes [ 00, EB, 04, 83, 65, D8, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DllInstall + 45 3D9A330D 45 Bytes [ 74, 12, 8D, 45, DC, 50, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DllInstall + 73 3D9A333B 66 Bytes [ 12, 10, 02, C0, 33, FF, 47, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DllInstall + B6 3D9A337E 79 Bytes [ 08, 0F, 85, 43, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DllInstall + 107 3D9A33CF 57 Bytes [ A1, 78, BD, EF, 77, 8B, 48, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCanonicalizeUrlA + 4C 3D9A58B6 940 Bytes [ F6, F3, F3, F3, F3, F6, F3, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAttemptConnect + 3F 3D9A5C63 216 Bytes [ 94, 76, 89, 96, 8E, 8E, 8E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAttemptConnect + 118 3D9A5D3C 769 Bytes [ 36, 36, 36, 36, 36, 36, 36, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAttemptConnect + 41B 3D9A603F 67 Bytes [ 8B, 8D, 40, FF, FF, FF, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURL + 36 3D9A6083 15 Bytes [ FF, FF, 73, 44, 33, C0, 8A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURL + 46 3D9A6093 100 Bytes [ 15, CC, 10, F1, 77, 85, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetWriteFile + 2 3D9A60F8 36 Bytes [ FF, FF, 15, 58, 51, F5, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetWriteFile + 27 3D9A611D 2 Bytes [ 47, 01 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetWriteFile + 2A 3D9A6120 68 Bytes [ 33, DB, 3B, C3, 89, 85, 58, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetWriteFile + 6F 3D9A6165 43 Bytes [ FF, FF, EB, 10, 6A, 57, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetWriteFile + 9B 3D9A6191 6 Bytes [ FF, FF, 8B, 40, 30, 53 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileA + 4E 3D9A6376 29 Bytes [ 82, 00, 00, 00, 7F, 08, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileA + 6C 3D9A6394 19 Bytes [ 70, 18, FF, 15, A8, 11, F1, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileA + 80 3D9A63A8 27 Bytes [ FF, B5, F4, FE, FF, FF, 6A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileA + 9C 3D9A63C4 48 Bytes [ 50, 56, FF, B5, EC, FE, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileA + CD 3D9A63F5 183 Bytes [ FF, 70, 18, FF, 15, AC, 11, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURL + 2 3D9A650A 37 Bytes [ FF, 53, FF, B5, 40, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURL + 28 3D9A6530 23 Bytes [ 8B, 8D, 3C, FF, FF, FF, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURL + 40 3D9A6548 7 Bytes [ 00, 74, F3, 81, F9, B6, 03 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURL + 48 3D9A6550 27 Bytes [ 00, 74, EB, 33, D2, 81, F9, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURL + 65 3D9A656D 11 Bytes [ 89, 95, 54, FF, FF, FF, 74, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCheckConnectionA + 4 3D9A6668 35 Bytes [ 85, 50, FF, FF, FF, 89, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCheckConnectionA + 29 3D9A668D 5 Bytes [ 7C, BB, 8D, 85, 5C ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCheckConnectionA + 2F 3D9A6693 5 Bytes [ FF, FF, 39, 85, 58 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCheckConnectionA + 35 3D9A6699 14 Bytes [ FF, FF, 74, 19, 64, A1, 18, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCheckConnectionA + 45 3D9A66A9 4 Bytes [ 8B, 40, 30, 57 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ForceNexusLookupExW + 7 3D9A6AFA 126 Bytes CALL 3D986A91 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ForceNexusLookup + 42 3D9A6B79 75 Bytes [ CE, C1, E1, 03, 51, 53, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ForceNexusLookup + 8E 3D9A6BC5 62 Bytes [ 45, 10, 8B, 3D, C8, 10, F1, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ForceNexusLookup + D0 3D9A6C07 24 Bytes [ 6A, 01, 8D, 46, FE, 50, 53, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ForceNexusLookup + EA 3D9A6C21 184 Bytes [ 00, 39, 5D, 10, 0F, 84, 86, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateMD5SSOHash + 6D 3D9A6CDD 30 Bytes [ 75, F4, 8B, 40, 30, 53, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateMD5SSOHash + 8C 3D9A6CFC 15 Bytes JMP 3D9BA830 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateMD5SSOHash + 9C 3D9A6D0C 9 Bytes [ 55, 8B, EC, 56, 8B, 75, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateMD5SSOHash + A6 3D9A6D16 11 Bytes CALL 3D9BA86E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateMD5SSOHash + B2 3D9A6D22 9 Bytes [ 14, 85, F6, 74, 10, 6A, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlW + 6A 3D9A6E49 37 Bytes CALL 3D97F3A1 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlW + 90 3D9A6E6F 35 Bytes [ 15, B0, 11, F1, 77, 5F, EB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetOpenUrlW + B5 3D9A6E94 24 Bytes [ 8B, FF, 55, 8B, EC, 51, 51, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileW + 4 3D9A6EAD 76 Bytes [ 55, 10, 85, D2, 7E, 6A, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileW + 52 3D9A6EFB 6 Bytes [ 75, 1C, 50, 56, 52, 57 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFindNextFileW + 59 3D9A6F02 267 Bytes [ 75, 08, FF, 15, 58, 51, F5, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetShowSecurityInfoByURLW + 23 3D9A700E 92 Bytes [ 75, 10, FF, 75, 0C, 50, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURLW + 23 3D9A706B 28 Bytes [ FF, FE, 6B, 44, 7E, 07, 6C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURLW + 40 3D9A7088 13 Bytes [ 8D, BE, A4, 00, 00, 00, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURLW + 4E 3D9A7096 23 Bytes CALL 3D9A3235 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetSecurityInfoByURLW + 67 3D9A70AF 115 Bytes [ 20, 33, 45, 10, 83, E0, 70, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetLastResponseInfoW + 56 3D9A7123 70 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetLastResponseInfoW + 9D 3D9A716A 10 Bytes [ 8B, 45, 08, 83, F8, FF, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetLastResponseInfoW + A8 3D9A7175 47 Bytes [ FF, 3D, FF, FF, 00, 00, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetLastResponseInfoW + D9 3D9A71A6 27 Bytes [ 10, 56, 50, 83, E1, 3F, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetLastResponseInfoW + F6 3D9A71C3 1 Byte [ 20 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExA + 2 3D9A74A8 56 Bytes [ 50, 38, 6A, 00, 6A, 0C, 5A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExW + A 3D9A74E1 13 Bytes [ 1C, FF, 75, 18, FF, 75, 14, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExW + 19 3D9A74F0 30 Bytes CALL 3D9A87B0 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExW + 38 3D9A750F 71 Bytes JMP 3D9A88B8 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExW + 80 3D9A7557 5 Bytes [ 50, E8, DC, FA, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionExW + 86 3D9A755D 102 Bytes [ 5F, 5E, 33, C0, 5B, 8B, E5, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ResumeSuspendedDownload 3D9A957F 147 Bytes [ 90, 8B, FF, 55, 8B, EC, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ResumeSuspendedDownload + 94 3D9A9613 18 Bytes [ 00, 69, 00, 63, 00, 72, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ResumeSuspendedDownload + A7 3D9A9626 9 Bytes [ 57, 00, 69, 00, 6E, 00, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ResumeSuspendedDownload + B1 3D9A9630 9 Bytes [ 77, 00, 73, 00, 5C, 00, 43, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ResumeSuspendedDownload + BB 3D9A963A 24 Bytes [ 72, 00, 72, 00, 65, 00, 6E, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DispatchAPICall + 39 3D9A9E82 26 Bytes [ 8B, 4D, 1C, 89, 45, FC, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DispatchAPICall + 54 3D9A9E9D 3 Bytes [ 23, 20, FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DispatchAPICall + 58 3D9A9EA1 4 Bytes [ 57, 8D, 8D, E4 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DispatchAPICall + 5D 3D9A9EA6 12 Bytes CALL 3D99BEC2 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DispatchAPICall + 6A 3D9A9EB3 23 Bytes CALL 3D99BEC3 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!_GetFileExtensionFromUrl + 2 3D9ABA7E 132 Bytes [ FF, 85, C0, 0F, 8C, 6E, 13, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!_GetFileExtensionFromUrl + 87 3D9ABB03 105 Bytes [ 8D, 47, 48, 8B, 30, EB, 18, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!_GetFileExtensionFromUrl + F1 3D9ABB6D 77 Bytes [ 15, 68, 11, F1, 77, 83, C4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!_GetFileExtensionFromUrl + 13F 3D9ABBBB 7 Bytes [ 8B, 3D, 7C, 11, F1, 77, 53 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!_GetFileExtensionFromUrl + 147 3D9ABBC3 30 Bytes [ D7, FF, 35, 30, 45, F5, 77, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFortezzaCommand + 12 3D9ABF6D 26 Bytes [ 10, F1, 77, 8B, C6, E9, EC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFortezzaCommand + 2D 3D9ABF88 60 Bytes [ BC, 43, F5, 77, 00, 75, 0D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFortezzaCommand + 6A 3D9ABFC5 43 Bytes [ EB, 08, 66, 83, A5, F4, FD, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFortezzaCommand + 96 3D9ABFF1 50 Bytes [ 8B, 75, 10, 8B, 45, 10, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetFortezzaCommand + C9 3D9AC024 197 Bytes [ C0, 5D, C2, 14, 00, 90, 90, ... ]
.text ...

by **meteorman** » November 8th, 2009, 10:14 am

*** gmer.txt file. Third and final part. ****

.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileA + A 3D9AEF32 10 Bytes [ E0, EB, 52, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileA + 15 3D9AEF3D 31 Bytes [ 8B, 00, 8B, 00, 89, 45, E4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileA + 35 3D9AEF5D 47 Bytes [ 80, 74, 19, 3D, 96, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileA + 65 3D9AEF8D 120 Bytes [ F9, FB, FF, C3, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileA + DE 3D9AF006 2 Bytes [ FF, FF ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileA + 2 3D9AF029 51 Bytes [ FF, FF, F0, 80, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileA + 36 3D9AF05D 18 Bytes [ FF, FF, FF, FF, 00, 0F, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileA + 49 3D9AF070 14 Bytes [ F8, 00, 0F, FF, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileA + 58 3D9AF07F 8 Bytes [ FF, F8, 00, 0F, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileA + 61 3D9AF088 15 Bytes [ FF, FF, FF, F0, 07, 0F, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileSize + 1F 3D9B02CC 70 Bytes [ 25, 0F, BE, C0, 50, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileSize + 66 3D9B0313 53 Bytes [ EB, 4B, 3B, F2, 8B, 5D, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileSize + 9C 3D9B0349 73 Bytes [ FF, 8B, F0, 85, F6, 74, BF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileSize + E6 3D9B0393 29 Bytes [ 98, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileSize + 104 3D9B03B1 22 Bytes [ 57, 8B, BB, 3C, 04, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpDeleteFileA + 7 3D9B0726 14 Bytes [ 2B, CF, 1B, C3, 89, 8E, 68, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpDeleteFileA + 16 3D9B0735 209 Bytes [ 00, F7, C2, 00, 00, 02, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryA + 79 3D9B0807 69 Bytes [ 0F, 85, 53, 9E, 04, 00, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryA + BF 3D9B084D 16 Bytes [ 3E, 53, 8D, 45, FC, 50, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryA + D1 3D9B085F 122 Bytes [ 8D, 8E, 64, 03, 00, 00, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryA + 14C 3D9B08DA 14 Bytes [ F1, 57, 8D, 8E, B0, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryA + 15B 3D9B08E9 82 Bytes [ 68, FF, 00, 00, 00, 56, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandA + 17 3D9B093C 46 Bytes [ FF, 8B, 86, 94, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandA + 46 3D9B096B 41 Bytes [ 7E, 70, 89, 7E, 74, 89, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandA + 70 3D9B0995 165 Bytes [ BE, A4, 00, 00, 00, E8, C5, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandA + 116 3D9B0A3B 18 Bytes [ FF, 85, C0, 75, 08, 8B, 4E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandA + 129 3D9B0A4E 10 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryA + 9 3D9B13F3 1 Byte [ F0 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryA + B 3D9B13F5 37 Bytes [ 15, 4C, 11, DD, 77, 33, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryA + 31 3D9B141B 11 Bytes [ FE, C3, 66, 83, 7E, 02, 30, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryA + 3D 3D9B1427 11 Bytes JMP 3D9BDAE7 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryA + 49 3D9B1433 31 Bytes JMP 3D9B1181 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpFindFirstFileA + B 3D9B14AB 13 Bytes [ 15, 4C, 11, DD, 77, 8B, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpFindFirstFileA + 19 3D9B14B9 15 Bytes [ 00, 6A, 57, EB, EC, 8D, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileA + 2 3D9B14C9 6 Bytes [ 85, C0, 0F, 84, AB, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileA + 9 3D9B14D0 141 Bytes CALL 3D994D59 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileA + 97 3D9B155E 102 Bytes [ 00, 8B, 0E, 33, C0, 85, C9, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileA + FF 3D9B15C6 12 Bytes CALL 3D9B15D4 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileA + 10C 3D9B15D3 158 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpFindFirstFileW + 16 3D9B174B 238 Bytes [ 4D, 2C, 3B, CE, 0F, 85, 92, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpFindFirstFileW + 105 3D9B183A 98 Bytes CALL C912F554
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpDeleteFileW + 39 3D9B189D 122 Bytes [ C8, 8B, 45, B8, 83, E1, 03, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpRenameFileW + 1 3D9B1918 2 Bytes [ 4D, C4 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpRenameFileW + 4 3D9B191B 87 Bytes JMP C95B4C22
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpRenameFileW + 5C 3D9B1973 101 Bytes [ 25, 04, 60, E4, 77, 8D, 46, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpRenameFileW + C2 3D9B19D9 123 Bytes [ D8, 83, 4D, FC, FF, 83, 7B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileW 3D9B1A55 30 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileW + 1F 3D9B1A74 25 Bytes [ 83, C4, 0C, 5D, C2, 0C, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileW + 39 3D9B1A8E 67 Bytes [ 83, F8, 0A, 0F, 87, 74, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileW + 7D 3D9B1AD2 21 Bytes [ 15, 08, 10, DD, 77, 85, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpOpenFileW + 94 3D9B1AE9 25 Bytes [ CC, 15, DD, 77, 8B, 06, 66, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCreateDirectoryW + E 3D9B1B1D 9 Bytes [ C0, EB, F6, 8B, 4E, 0C, 2B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCreateDirectoryW + 18 3D9B1B27 112 Bytes [ 03, 03, 4D, 08, 03, D1, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCreateDirectoryW + 89 3D9B1B98 233 Bytes JMP 3D9B04D6 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryW + F 3D9B1C82 64 Bytes [ 75, 0C, FF, 75, 08, E8, 2D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryW + 50 3D9B1CC3 30 Bytes [ 04, 50, 68, BE, 68, DE, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryW + 6F 3D9B1CE2 42 Bytes [ 55, 8B, EC, 51, 8B, 45, 08, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpSetCurrentDirectoryW + 9A 3D9B1D0D 141 Bytes [ 85, C0, 0F, 84, 3D, 18, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryW + 77 3D9B1D9B 31 Bytes [ 0C, 01, 0F, 85, 29, BF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryW + 98 3D9B1DBC 50 Bytes [ 53, FF, 75, 18, 6A, 01, 56, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetCurrentDirectoryW + CE 3D9B1DF2 31 Bytes [ 8B, FF, 55, 8B, EC, 83, EC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandW + 1F 3D9B1E12 10 Bytes [ 75, 14, FF, 75, 10, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandW + 2A 3D9B1E1D 15 Bytes [ FF, FF, 85, C0, 75, 1C, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandW + 3B 3D9B1E2E 1 Byte [ EC ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandW + 3D 3D9B1E30 39 Bytes [ FF, 75, 10, FF, 75, 0C, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpCommandW + 65 3D9B1E58 23 Bytes [ 75, 24, FF, 75, 20, FF, 75, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileW + 25 3D9B2544 105 Bytes [ A4, 00, 00, 00, 3C, 30, 40, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileEx + 41 3D9B25AE 35 Bytes [ 2F, 3B, 46, 3B, 68, 3B, 7C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileEx + 65 3D9B25D2 64 Bytes [ 20, 3E, 49, 3E, 6F, 3E, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpGetFileEx + A6 3D9B2613 207 Bytes [ 36, 8B, 36, 19, 37, 45, 37, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileEx + C4 3D9B26E3 23 Bytes [ 3E, A4, 3E, BE, 3E, 1F, 3F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileEx + DD 3D9B26FC 144 Bytes [ 59, 30, 6A, 30, 6F, 30, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileEx + 16E 3D9B278D 21 Bytes [ 3A, E1, 3A, 12, 3B, 2D, 3B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileEx + 184 3D9B27A3 58 Bytes [ 00, 28, 01, 00, 00, 88, 34, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FtpPutFileEx + 1BF 3D9B27DE 113 Bytes [ 90, 36, 96, 36, 9C, 36, A6, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GopherOpenFileA + 3E 3D9B663F 37 Bytes [ 2D, 03, 80, 00, 00, 74, 16, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GopherOpenFileA + 64 3D9B6665 7 Bytes [ 14, 56, 33, F6, 85, D2, 76 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GopherOpenFileA + 6C 3D9B666D 47 Bytes [ 8B, 45, 10, 8D, 44, 10, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GopherOpenFileA + 9C 3D9B669D 14 Bytes [ E4, 8B, 06, 80, 38, 00, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GopherOpenFileA + AB 3D9B66AC 26 Bytes [ E4, 0F, B6, 08, 8D, 78, 01, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteWpadCacheForNetworks + 47 3D9B6881 93 Bytes [ 89, 38, 75, F0, 5F, 5E, 5B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteWpadCacheForNetworks + A6 3D9B68E0 1 Byte [ 0C ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteWpadCacheForNetworks + A8 3D9B68E2 31 Bytes CALL 3D9B6831 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteWpadCacheForNetworks + C8 3D9B6902 233 Bytes [ 0C, 38, 89, 0A, 03, C3, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteWpadCacheForNetworks + 1B2 3D9B69EC 176 Bytes [ 84, C0, 8A, 16, 74, 12, 3A, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacySetZonePreferenceW + 4 3D9BA075 57 Bytes [ 06, 6A, 01, 8B, CE, FF, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacySetZonePreferenceW + 3E 3D9BA0AF 136 Bytes JMP 3D9AE7E7 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacySetZonePreferenceW + C7 3D9BA138 37 Bytes [ 5E, 1C, 74, 3B, 53, EB, 17, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacySetZonePreferenceW + ED 3D9BA15E 16 Bytes [ 6B, E2, FD, FF, C7, 46, 1C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!PrivacySetZonePreferenceW + FF 3D9BA170 10 Bytes [ FC, FF, 15, 58, 13, E7, 77, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpCheckDavCompliance + 45 3D9BA3B2 18 Bytes JMP 3D98A1DB C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpCheckDavCompliance + 58 3D9BA3C5 40 Bytes [ 00, 00, 00, 0F, 83, 7C, E2, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpCheckDavCompliance + 81 3D9BA3EE 34 Bytes [ 81, FF, E5, 03, 00, 00, 0F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpCheckDavCompliance + A4 3D9BA411 87 Bytes [ 93, D0, 00, 00, 00, 0F, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpCheckDavCompliance + FC 3D9BA469 3 Bytes [ 8B, 83, AC ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestExA + 2A 3D9BA784 44 Bytes [ 45, FC, 83, C0, 38, 39, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestExA + 57 3D9BA7B1 110 Bytes [ 00, 00, 00, 89, 70, 38, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpSendRequestExW + 6D 3D9BA820 67 Bytes [ 8B, B4, 00, 00, 00, 89, 48, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestA + 2 3D9BA864 1 Byte [ FF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestA + 4 3D9BA866 65 Bytes [ 00, 01, 00, 00, B8, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestW + 14 3D9BA8A8 46 Bytes [ 81, FE, 17, 00, 00, C0, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestW + 43 3D9BA8D7 30 Bytes [ BE, BE, 06, 00, 00, E9, 6F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestW + 62 3D9BA8F6 128 Bytes [ 1C, 8D, 45, F0, 50, FF, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestW + E3 3D9BA977 41 Bytes JMP 3D998C41 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!HttpEndRequestW + 10E 3D9BA9A2 36 Bytes [ 00, 80, 49, 1C, 80, 8B, 48, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetPerSiteCookieDecisionA + 2 3D9BAEB7 5 Bytes [ 05, 21, 07, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetPerSiteCookieDecisionA + 8 3D9BAEBD 70 Bytes [ F0, 57, 6A, 6F, 56, 6A, 02, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetPerSiteCookieDecisionA + 4F 3D9BAF04 21 Bytes [ 15, 04, 12, E7, 77, EB, 5D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetPerSiteCookieDecisionA + 65 3D9BAF1A 101 Bytes [ 89, 48, 50, FF, 76, 68, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetPerSiteCookieDecisionW + 61 3D9BAF80 77 Bytes JMP 3D99F78E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetPerSiteCookieDecisionW + 11 3D9BAFCE 634 Bytes [ FF, 75, 10, FF, 76, 04, 68, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetClearAllPerSiteCookieDecisions + 135 3D9BB249 121 Bytes [ 93, 93, 93, 93, 93, B6, B6, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetClearAllPerSiteCookieDecisions + 1AF 3D9BB2C3 1307 Bytes [ 74, 74, 74, 74, 74, 93, 93, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetClearAllPerSiteCookieDecisions + 6CB 3D9BB7DF 33 Bytes [ 5D, 5D, 5D, 7E, 7E, 7E, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetClearAllPerSiteCookieDecisions + 6ED 3D9BB801 612 Bytes [ 5D, 7E, 7E, 7E, 7E, 7E, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetClearAllPerSiteCookieDecisions + 952 3D9BBA66 65 Bytes [ 74, 16, 16, 93, 93, 93, 93, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieA + B 3D9BBE43 32 Bytes [ 75, 75, 16, 16, 16, 16, 16, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieA + B 3D9BBE64 2 Bytes [ 75, 75 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieA + E 3D9BBE67 15 Bytes [ 16, 16, 94, 94, 94, 94, 94, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieA + 1E 3D9BBE77 45 Bytes [ D8, 32, 32, 32, 53, 53, 53, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieW + 11 3D9BBEA5 2 Bytes [ 75, 75 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetCookieW + 14 3D9BBEA8 23 Bytes [ 94, 94, 94, 94, 94, 94, B7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetCookieW + 9 3D9BBEC0 423 Bytes [ 53, 53, 75, 75, 75, 75, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeToSystemTimeW + A8 3D9BC068 119 Bytes [ 01, 33, C0, 8B, 4D, FC, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTimeW + 6C 3D9BC0E0 54 Bytes [ 20, 3B, F3, 74, 1C, 80, FA, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTimeW + A3 3D9BC117 27 Bytes [ 4D, 20, 89, 19, 8B, 4D, 24, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTimeW + BF 3D9BC133 86 Bytes JMP 3D9BBE6C C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTimeW + 116 3D9BC18A 34 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetTimeFromSystemTimeW + 139 3D9BC1AD 34 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UrlZonesDetach + 4D 3D9BF947 52 Bytes [ 00, A8, FF, 5B, 08, 08, 5B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UrlZonesDetach + 82 3D9BF97C 59 Bytes [ 12, 08, 25, 5C, 46, 5C, 24, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UrlZonesDetach + BE 3D9BF9B8 141 Bytes [ 12, 08, 25, 5C, 5B, 08, 08, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UrlZonesDetach + 14C 3D9BFA46 80 Bytes [ 3C, 00, 16, 03, 18, 00, 4B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UrlZonesDetach + 19D 3D9BFA97 6 Bytes [ 00, FE, FF, FE, FF, FF ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheGroup + 24 3D9C3C2B 21 Bytes [ 74, FF, FF, FF, 5E, C9, C2, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CreateUrlCacheGroup + 3A 3D9C3C41 47 Bytes [ 0C, 3B, 75, 10, 0F, 85, BB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerA 3D9C3C71 10 Bytes JMP 3D9C2447 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerA + B 3D9C3C7C 25 Bytes JMP 3D9C2484 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerA + 25 3D9C3C96 25 Bytes [ 43, 00, 55, 00, 52, 00, 49, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerA + 3F 3D9C3CB0 15 Bytes [ 54, 00, 48, 00, 45, 00, 4E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerW + B 3D9C3CC0 3 Bytes [ 54, 00, 49 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerW + F 3D9C3CC4 37 Bytes [ 4F, 00, 4E, 00, 5F, 00, 49, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerW + 35 3D9C3CEA 17 Bytes [ 61, 00, 41, 00, 75, 00, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheContainerW + 47 3D9C3CFC 46 Bytes [ 63, 00, 61, 00, 74, 00, 69, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntryW + 1 3D9C3D2B 91 Bytes [ 45, 0C, 56, 8B, 75, 08, 66, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheEntryW + 5D 3D9C3D87 54 Bytes [ 18, 00, 00, 00, 89, 9D, 3C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheGroup + 16 3D9C3DBE 11 Bytes [ FF, 15, 6C, 11, FE, 77, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheGroup + 22 3D9C3DCA 34 Bytes [ 89, 85, 5C, FF, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!DeleteUrlCacheGroup + 45 3D9C3DED 23 Bytes [ 7C, FF, FF, FF, 50, C7, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheGroup + A 3D9C3E05 11 Bytes [ 00, C6, 85, 58, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheGroup + 18 3D9C3E13 33 Bytes [ C7, 85, 60, FF, FF, FF, 8C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheGroup + 3A 3D9C3E35 35 Bytes [ FF, 68, E4, 4C, FE, 77, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindFirstUrlCacheGroup + 5E 3D9C3E59 44 Bytes [ FF, FF, 50, 8D, 85, 30, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerW + 15 3D9C3E86 56 Bytes [ FF, 5F, 5B, 8B, 4D, FC, 5E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerW + 4E 3D9C3EBF 18 Bytes [ 68, 90, 4C, FE, 77, 8D, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerW + 61 3D9C3ED2 10 Bytes [ FF, 89, 85, 48, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheContainerW + 6C 3D9C3EDD 66 Bytes [ FF, FF, 50, 33, DB, 68, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheGroup + 2D 3D9C3F20 21 Bytes [ 00, 00, 57, 53, 6A, 01, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheGroup + 43 3D9C3F36 16 Bytes [ FF, FF, 8B, F8, FF, 15, 70, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheGroup + 54 3D9C3F47 53 Bytes [ 00, 6A, 23, 59, 33, C0, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExW + 31 3D9C3F7D 30 Bytes [ FF, 8C, 00, 00, 00, FF, D6, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExW + 50 3D9C3F9C 38 Bytes [ 8D, 85, 30, FF, FF, FF, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FindNextUrlCacheEntryExW + 77 3D9C3FC3 79 Bytes [ FF, C9, C2, 04, 00, 66, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FreeUrlCacheSpaceA + 12 3D9C4013 36 Bytes [ 3A, 45, 3A, 69, 3A, 94, 3A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FreeUrlCacheSpaceA + 37 3D9C4038 11 Bytes [ D9, 3D, 0E, 3E, F0, 3E, E7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FreeUrlCacheSpaceA + 43 3D9C4044 32 Bytes [ 6C, 00, 00, 00, 47, 30, 46, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!FreeUrlCacheSpaceW + 1C 3D9C4065 174 Bytes [ 34, 6E, 34, 96, 34, C3, 34, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheConfigInfoA + 4C 3D9C4114 74 Bytes [ 10, 30, 2D, 30, 4F, 31, EF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheConfigInfoW + 46 3D9C415F 210 Bytes [ 34, 3A, 34, 8A, 34, B5, 34, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheGroupAttributeW + 2A 3D9C4232 328 Bytes [ 00, 00, 3A, 31, 4F, 31, 6E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!IsUrlCacheEntryExpiredA + 9E 3D9C437B 732 Bytes [ 3F, 00, C0, 00, 00, D0, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheGroupAttributeW + 5A 3D9C4658 29 Bytes [ 72, 30, C7, 31, E4, 31, 02, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheGroupAttributeW + 78 3D9C4676 247 Bytes [ AE, 33, CB, 33, DE, 33, E9, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UpdateUrlCacheContentPath + 6A 3D9C476E 37 Bytes [ 8E, 3D, 94, 3D, 99, 3D, B7, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!UpdateUrlCacheContentPath + 90 3D9C4794 287 Bytes [ 1F, 30, 2F, 30, 39, 30, 4E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheConfigInfoA + 5F 3D9C48B4 123 Bytes [ F9, 3F, 00, 00, 00, 80, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheConfigInfoA + DB 3D9C4930 118 Bytes [ 74, 00, 00, 00, DB, 30, F0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheConfigInfoA + 152 3D9C49A7 127 Bytes [ 00, 00, 30, 1C, 31, 20, 31, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheConfigInfoA + 1D2 3D9C4A27 151 Bytes [ 39, 06, 39, 11, 39, 18, 39, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!SetUrlCacheConfigInfoA + 26A 3D9C4ABF 112 Bytes [ 3F, 00, C0, 01, 00, FC, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowSecurityInfo + 11 3D9C962D 57 Bytes JMP 3D9C1D6F C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowSecurityInfo + 4B 3D9C9667 19 Bytes [ FF, 11, 0F, 84, B5, DF, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowSecurityInfo + 5F 3D9C967B 11 Bytes [ 75, 2A, FF, 75, 18, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowSecurityInfo + 6B 3D9C9687 20 Bytes [ 75, 0C, 6A, 01, 56, 56, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowSecurityInfo + 80 3D9C969C 16 Bytes [ FF, 75, 08, 85, C0, 0F, 85, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ParseX509EncodedCertificateForListBoxEntry + 9 3D9C97F6 4 Bytes CALL 3D9C980D C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ParseX509EncodedCertificateForListBoxEntry + E 3D9C97FB 8 Bytes [ 00, 5F, 5E, 5B, 5D, C2, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowX509EncodedCertificate + 4 3D9C9804 4 Bytes [ CA, 8B, C2, EB ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowX509EncodedCertificate + 9 3D9C9809 20 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowX509EncodedCertificate + 1E 3D9C981E 148 Bytes [ 75, 0C, FF, 75, 08, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowX509EncodedCertificate + B3 3D9C98B3 57 Bytes [ 8B, 55, 30, 56, 8B, 75, 08, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!ShowX509EncodedCertificate + ED 3D9C98ED 4 Bytes [ B5, DC, FD, FF ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringA + 9 3D9C9BC2 1 Byte [ 72 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringA + B 3D9C9BC4 41 Bytes [ 74, 00, 66, 00, 00, 00, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringA + 35 3D9C9BEE 1 Byte [ 73 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringA + 37 3D9C9BF0 55 Bytes [ 00, 00, 90, 90, 2E, 78, 6C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringA + 6F 3D9C9C28 21 Bytes [ 74, 00, 6D, 00, 00, 00, 90, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringW 3D9C9D17 9 Bytes [ 90, 2E, 00, 61, 00, 73, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringW + B 3D9C9D22 34 Bytes [ 90, 90, 2E, 00, 77, 00, 61, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringW + 2F 3D9C9D46 7 Bytes [ 90, 90, 2E, 00, 6D, 00, 33 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringW + 37 3D9C9D4E 35 Bytes [ 75, 00, 00, 00, 90, 90, 2E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetAlgIdToStringW + 5D 3D9C9D74 21 Bytes [ 2E, 00, 61, 00, 69, 00, 66, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringA + 23 3D9C9EA8 1 Byte [ 05 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringA + 25 3D9C9EAA 206 Bytes [ 00, 00, 5C, 10, F7, 77, 7C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringW + 19 3D9C9F79 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringW + 22 3D9C9F82 133 Bytes [ F7, 77, 18, 0D, F7, 77, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringW + A8 3D9CA008 54 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringW + DF 3D9CA03F 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSecurityProtocolToStringW + F6 3D9CA056 9 Bytes [ F9, FF, 1F, FE, F7, FE, 77, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetErrorDlg + 41 3D9CA7A4 31 Bytes [ FF, 85, C0, 8B, 7D, FC, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetErrorDlg + 61 3D9CA7C4 5 Bytes [ 75, 08, E8, BD, DF ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetErrorDlg + 67 3D9CA7CA 124 Bytes [ FF, 8B, F0, 85, F6, 74, 09, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetErrorDlg + E4 3D9CA847 29 Bytes [ 41, 73, 73, 6F, 63, 69, 61, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetErrorDlg + 102 3D9CA865 7 Bytes [ EC, FF, 75, 10, FF, 75, 08 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + 35 3D9CAC8B 3 Bytes [ B5, B4, FE ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + 39 3D9CAC8F 76 Bytes CALL 3D9A458C C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + 86 3D9CACDC 8 Bytes [ 75, 27, 8D, 85, BC, FE, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + 8F 3D9CACE5 30 Bytes CALL 3D9CB15E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + AE 3D9CAD04 17 Bytes [ FF, FF, B5, A0, FE, FF, FF, ... ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \FileSystem\cdudf_xp \Device\CdUdf_XP IRP_MJ_FILE_SYSTEM_CONTROL [A8795EC8] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [A8795D30] tfsnifs.sys

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-2063061788-1251265980-2345815548-1007\Software\SecuROM\License information@datasecu 0xF1 0x37 0x4A 0x62 ...
Reg \Registry\USER\S-1-5-21-2063061788-1251265980-2345815548-1007\Software\SecuROM\License information@rkeysecu 0xCB 0xBD 0xF2 0x61 ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
ADS C:\Documents and Settings\Laura\Favorites\Links\Suggested Sites.url:favicon
ADS C:\Documents and Settings\Mason\Favorites\Links\Suggested Sites.url:favicon
ADS C:\Documents and Settings\Mike\Favorites\Links\Suggested Sites.url:favicon
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\bevhillbilliesBIG.jpg:SummaryInformation
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\bevhillbilliesBIG.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\HSC Images\HSC B&W.jpg:SummaryInformation
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\HSC Images\HSC B&W.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\HSC Images\Limulus Univ.jpg:SummaryInformation
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\HSC Images\Limulus Univ.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Mike\My Documents\My Pictures\HSC Images\Spawning Dept.jpg:SummaryInformation
ADS ...

---- EOF - GMER 1.0.12 ----

by **Shaba** » November 8th, 2009, 2:39 pm

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

File::
c:\windows\system32\kohepiti.dll
c:\program files\Common Files\tybylot.dll
c:\program files\Common Files\mysi._sy
c:\windows\SYSTEM32\beyawota.dll
c:\windows\SYSTEM32\fevebuso.dll
c:\windows\SYSTEM32\lobeyari.exe
c:\windows\SYSTEM32\nevikegu.dll
c:\windows\SYSTEM32\pejafiwi.dll
c:\windows\SYSTEM32\peyuweli.dll
c:\windows\SYSTEM32\pigatedu.exe
c:\windows\SYSTEM32\povelomo.dll
c:\windows\SYSTEM32\putisove.dll
c:\windows\SYSTEM32\vuzibede.exe
c:\windows\SYSTEM32\yomezeta.dll
c:\windows\SYSTEM32\yonohuje.dll

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

by **meteorman** » November 8th, 2009, 6:17 pm

thanks.
by the way, soon after ComboFix started, a window popped up and said an newer version was available and did I want to update? I responded no.
Also, at the very end, a window indicted ComboFix needed to connect to the Internet to analyze some malware.
I clicked OK.
I assume that was all legitimate.
here's the log.
thanks so much!

ComboFix 09-11-05.01 - Mike 11/08/2009 16:31.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.720 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\program files\Common Files\mysi._sy"
"c:\program files\Common Files\tybylot.dll"
"c:\windows\SYSTEM32\beyawota.dll"
"c:\windows\SYSTEM32\fevebuso.dll"
"c:\windows\system32\kohepiti.dll"
"c:\windows\SYSTEM32\lobeyari.exe"
"c:\windows\SYSTEM32\nevikegu.dll"
"c:\windows\SYSTEM32\pejafiwi.dll"
"c:\windows\SYSTEM32\peyuweli.dll"
"c:\windows\SYSTEM32\pigatedu.exe"
"c:\windows\SYSTEM32\povelomo.dll"
"c:\windows\SYSTEM32\putisove.dll"
"c:\windows\SYSTEM32\vuzibede.exe"
"c:\windows\SYSTEM32\yomezeta.dll"
"c:\windows\SYSTEM32\yonohuje.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\mysi._sy
c:\program files\Common Files\tybylot.dll
c:\windows\SYSTEM32\lobeyari.exe
c:\windows\SYSTEM32\pigatedu.exe
c:\windows\SYSTEM32\vuzibede.exe
c:\windows\SYSTEM32\yomezeta.dll
c:\windows\SYSTEM32\yonohuje.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-07 12:07 . 2009-11-07 12:07 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\jZip
2009-11-05 23:37 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 23:37 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Application Data\Yahoo!
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\jZip
2009-11-05 18:11 . 2009-11-05 18:12 -------- d-----w- c:\program files\jZip
2009-11-05 18:03 . 2009-11-05 18:03 -------- d-sh--w- c:\documents and settings\adminmike\PrivacIE
2009-11-05 18:00 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN Search Toolbar
2009-11-05 17:59 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Google
2009-11-05 17:59 . 2009-11-05 18:34 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN6
2009-11-05 17:59 . 2009-11-05 18:02 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSNInstaller
2009-11-05 17:59 . 2009-11-05 17:59 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Apple Computer
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Roxio
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\SiteAdvisor
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\SupportSoft
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\GTek
2009-11-05 00:30 . 2009-11-05 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 22:48 . 2009-10-30 22:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 22:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-30 22:21 . 2009-10-30 22:21 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-10-30 22:21 . 2009-10-30 22:21 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-30 22:21 . 2009-10-30 22:21 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-10-30 22:21 . 2009-10-30 22:21 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-10-30 22:21 . 2009-10-30 22:21 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-30 22:21 . 2009-10-30 22:21 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-10-30 22:21 . 2009-10-30 22:21 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-10-30 22:18 . 2009-10-30 22:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-30 22:18 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-29 22:42 . 2009-10-30 21:56 -------- d-----w- c:\program files\RegDefense
2009-10-29 20:57 . 2009-10-29 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-29 20:57 . 2009-11-02 21:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 20:47 . 2009-10-29 20:47 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-29 20:47 . 2009-11-02 21:45 -------- d-----w- c:\program files\Registry Patrol
2009-10-29 02:42 . 2009-10-29 02:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\GTek
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-28 13:50 . 2009-10-28 13:54 -------- d-----w- c:\windows\tmp
2009-10-28 13:06 . 2009-10-28 22:35 -------- d-----w- c:\program files\BOGUS - fcqpql
2009-10-26 17:01 . 2009-10-26 17:22 -------- d-----w- c:\documents and settings\Mike\Application Data\AMICAS
2009-10-26 17:01 . 2009-10-26 17:13 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\AMICAS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 21:23 . 2005-05-07 14:12 -------- d-----w- c:\documents and settings\Mike\Application Data\MSN6
2009-11-07 20:22 . 2005-05-31 23:34 -------- d-----w- c:\documents and settings\Matthew\Application Data\MSN6
2009-11-07 00:45 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSN6
2009-11-05 19:08 . 2005-05-07 14:44 46302 ----a-w- c:\documents and settings\Mike\Application Data\wklnhst.dat
2009-11-05 18:26 . 2009-11-05 18:25 96 ----a-w- c:\documents and settings\adminmike\Application Data\wklnhst.dat
2009-11-05 18:12 . 2006-12-29 22:38 -------- d-----w- c:\program files\Yahoo!
2009-11-03 11:38 . 2005-05-07 18:20 -------- d-----w- c:\documents and settings\Laura\Application Data\MSN6
2009-11-01 20:43 . 2009-10-29 02:05 5634 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-30 22:17 . 2008-12-03 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-30 22:17 . 2005-10-11 21:35 -------- d-----w- c:\program files\Lavasoft
2009-10-28 13:25 . 2007-12-08 12:52 -------- d-----w- c:\program files\McAfee
2009-10-17 13:36 . 2008-06-08 00:49 -------- d-----w- c:\documents and settings\Laura\Application Data\Apple Computer
2009-10-05 15:15 . 2005-05-07 00:30 14422 ----a-w- c:\documents and settings\Laura\Application Data\wklnhst.dat
2009-09-28 20:50 . 2005-08-30 22:09 7744 ----a-w- c:\documents and settings\Matthew\Application Data\wklnhst.dat
2009-09-27 23:46 . 2006-01-29 21:51 1298 ----a-w- c:\documents and settings\Mason\Application Data\wklnhst.dat
2009-09-25 10:50 . 2009-09-25 10:48 -------- d-----w- c:\program files\iTunes
2009-09-25 10:48 . 2009-09-25 10:48 -------- d-----w- c:\program files\iPod
2009-09-25 10:48 . 2007-12-18 22:49 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 10:35 . 2009-09-25 10:35 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 23:27 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSNInstaller
2009-09-16 14:22 . 2007-12-08 12:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-12-08 12:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-12-08 12:54 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-13 20:05 . 2007-04-09 22:22 -------- d-----w- c:\documents and settings\Matthew\Application Data\Apple Computer
2009-09-11 20:33 . 2007-02-25 13:48 -------- d-----w- c:\documents and settings\Mike\Application Data\Apple Computer
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 20:07 . 2008-12-08 23:28 -------- d-----w- c:\program files\Safari
2009-09-11 20:01 . 2009-09-11 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 19:57 . 2009-09-11 19:56 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:21 . 2009-11-05 17:57 99368 ----a-w- c:\documents and settings\adminmike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 21:21 . 2009-10-29 02:03 99368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 16:41 . 2009-08-28 18:27 4680 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-09-05 21:36 . 2008-12-31 00:23 71604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:07 . 2005-05-07 18:18 99368 ----a-w- c:\documents and settings\Laura\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 13:58 . 2008-08-07 22:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-29 08:08 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-10 19:36 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-08-03 16:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:02 . 2005-05-07 12:57 99368 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 18:32 . 2006-12-25 20:37 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 18:04 . 2004-08-10 18:13 77915 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-27 21:30 . 2009-08-27 21:30 2855 ----a-w- c:\windows\PIF\SPORESetup.PIF
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 19:32 . 2009-08-24 19:32 152576 ----a-w- c:\documents and settings\Laura\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 16:11 . 2009-08-23 16:11 75637184 ----a-w- C:\Quicken_Deluxe_2009.exe
2009-08-21 08:45 . 2008-10-07 07:21 100056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-05_20.08.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 12:14 . 2009-11-07 12:14 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2005-05-26 08:16 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\wups2.dll
+ 2005-05-07 18:21 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\wups.dll
+ 2009-11-07 12:11 . 2009-11-07 12:11 68961 c:\windows\SYSTEM32\DRIVERS\gmer.sys
+ 2005-05-07 18:21 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2005-05-07 00:13 . 2009-11-08 19:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-07 00:13 . 2009-11-05 18:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-07 00:13 . 2009-11-05 18:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-11-05 20:52 . 2009-11-08 19:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-11-06 17:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-06 17:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-11-07 12:11 . 2006-11-28 20:23 573440 c:\windows\gmer.exe
+ 2009-11-07 12:11 . 2009-11-07 12:11 565311 c:\windows\gmer.dll
+ 2004-08-04 10:00 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-11-06 17:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-04-29 26112]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 327680]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 36640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-03 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-31 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-5-7 204800]
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-9-20 238080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Games\\LieroX v0.56 Pack 1.9\\LieroX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\MSN Toolbar Suite\\DS\\02.05.0001.1119\\en-us\\bin\\WindowsSearch.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/30/2009 5:23 PM 64288]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [5/7/2005 12:24 PM 34916]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\SYSTEM32\DRIVERS\fantom.sys [3/10/2006 3:55 PM 39424]
S3 utdrv;utdrv;c:\windows\SYSTEM32\DRIVERS\utdrv.sys [12/2/2006 9:40 AM 25344]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:21]

2009-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
TCP: {C8D32626-60AE-4ACB-93B7-EA2D39E2D568} = 77.74.48.113
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 16:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RoxioDragToDisc = "c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"?\Windows Desktop Search.lnk?????????????????????????C:\Documents and S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\

[HKEY_USERS\S-1-5-21-2063061788-1251265980-2345815548-1007\Software\SecuROM\License information*]
"datasecu"=hex:f1,37,4a,62,73,e7,08,9a,62,3d,66,9e,7e,99,6d,40,27,3d,92,93,8c,
9d,42,fa,e4,c0,eb,18,34,76,af,a1,04,c2,04,c2,da,18,37,1a,f4,1d,96,d8,72,af,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_USERS\S-1-5-21-2063061788-1251265980-2345815548-1008\Software\SecuROM\License information*]
"datasecu"=hex:0e,5e,db,37,5d,f6,1f,68,d9,03,13,be,c4,44,ee,72,48,e7,ac,e6,a8,
7d,49,e5,4a,b4,a9,fc,f4,98,a6,15,53,ec,9f,45,ee,84,71,61,5a,e2,aa,6e,c7,a8,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(2072)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-11-08 17:08
ComboFix-quarantined-files.txt 2009-11-08 22:07
ComboFix2.txt 2009-11-05 20:25

Pre-Run: 18,488,610,816 bytes free
Post-Run: 18,607,022,080 bytes free

- - End Of File - - 3AEDC99B892C981E7A94419CCADE1D68

by **Shaba** » November 9th, 2009, 12:46 am

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: Select all
```
DirLook::
c:\program files\BOGUS - fcqpql
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

by **meteorman** » November 9th, 2009, 7:18 pm

thanks.
regarding folder "c:\Program Files\BOGUS - fcqpql":
early on in my infection, before I joined this forum, McAfee or AdAware seemed to suggest that the folder "c:\Program Files\fcqpql" was malicious, or contained a malicious file.
So I renamed it to "BOGUS - fcqpql" myself, in an amateurish effort to disable it...

it has remained so through now.
ComboFix log below:

ComboFix 09-11-05.01 - Mike 11/09/2009 17:07.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.713 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 15:59 . 2009-11-09 15:59 -------- d-sh--w- c:\documents and settings\Matthew\PrivacIE
2009-11-09 15:59 . 2009-11-09 15:59 -------- d-----w- c:\documents and settings\Matthew\Application Data\Yahoo!
2009-11-07 12:07 . 2009-11-07 12:07 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\jZip
2009-11-05 23:37 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 23:37 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-05 19:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Application Data\Yahoo!
2009-11-05 18:12 . 2009-11-05 18:12 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\jZip
2009-11-05 18:11 . 2009-11-05 18:12 -------- d-----w- c:\program files\jZip
2009-11-05 18:03 . 2009-11-05 18:03 -------- d-sh--w- c:\documents and settings\adminmike\PrivacIE
2009-11-05 18:00 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN Search Toolbar
2009-11-05 17:59 . 2009-11-05 18:00 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Google
2009-11-05 17:59 . 2009-11-05 18:34 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSN6
2009-11-05 17:59 . 2009-11-05 18:02 -------- d-----w- c:\documents and settings\adminmike\Application Data\MSNInstaller
2009-11-05 17:59 . 2009-11-05 17:59 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Apple Computer
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\Roxio
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\SiteAdvisor
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Local Settings\Application Data\SupportSoft
2009-11-05 17:58 . 2009-11-05 17:58 -------- d-----w- c:\documents and settings\adminmike\Application Data\GTek
2009-11-05 00:30 . 2009-11-05 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-11-02 21:04 . 2009-11-02 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 22:48 . 2009-10-30 22:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 22:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-30 22:21 . 2009-10-30 22:21 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-10-30 22:21 . 2009-10-30 22:21 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-30 22:21 . 2009-10-30 22:21 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-10-30 22:21 . 2009-10-30 22:21 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-10-30 22:21 . 2009-10-30 22:21 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-30 22:21 . 2009-10-30 22:21 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-10-30 22:21 . 2009-10-30 22:21 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-10-30 22:18 . 2009-10-30 22:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-30 22:18 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-29 22:42 . 2009-10-30 21:56 -------- d-----w- c:\program files\RegDefense
2009-10-29 20:57 . 2009-10-29 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-29 20:57 . 2009-11-02 21:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-29 20:47 . 2009-10-29 20:47 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-29 20:47 . 2009-11-02 21:45 -------- d-----w- c:\program files\Registry Patrol
2009-10-29 02:42 . 2009-10-29 02:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\GTek
2009-10-29 02:04 . 2009-10-29 02:04 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-28 18:55 . 2009-10-28 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-28 13:50 . 2009-10-28 13:54 -------- d-----w- c:\windows\tmp
2009-10-28 13:06 . 2009-10-28 22:35 -------- d-----w- c:\program files\BOGUS - fcqpql
2009-10-26 17:01 . 2009-10-26 17:22 -------- d-----w- c:\documents and settings\Mike\Application Data\AMICAS
2009-10-26 17:01 . 2009-10-26 17:13 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\AMICAS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 22:08 . 2005-05-07 14:12 -------- d-----w- c:\documents and settings\Mike\Application Data\MSN6
2009-11-09 19:39 . 2005-05-31 23:34 -------- d-----w- c:\documents and settings\Matthew\Application Data\MSN6
2009-11-07 00:45 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSN6
2009-11-05 19:08 . 2005-05-07 14:44 46302 ----a-w- c:\documents and settings\Mike\Application Data\wklnhst.dat
2009-11-05 18:26 . 2009-11-05 18:25 96 ----a-w- c:\documents and settings\adminmike\Application Data\wklnhst.dat
2009-11-05 18:12 . 2006-12-29 22:38 -------- d-----w- c:\program files\Yahoo!
2009-11-03 11:38 . 2005-05-07 18:20 -------- d-----w- c:\documents and settings\Laura\Application Data\MSN6
2009-11-01 20:43 . 2009-10-29 02:05 5634 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-30 22:17 . 2008-12-03 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-30 22:17 . 2005-10-11 21:35 -------- d-----w- c:\program files\Lavasoft
2009-10-28 13:25 . 2007-12-08 12:52 -------- d-----w- c:\program files\McAfee
2009-10-17 13:36 . 2008-06-08 00:49 -------- d-----w- c:\documents and settings\Laura\Application Data\Apple Computer
2009-10-05 15:15 . 2005-05-07 00:30 14422 ----a-w- c:\documents and settings\Laura\Application Data\wklnhst.dat
2009-09-28 20:50 . 2005-08-30 22:09 7744 ----a-w- c:\documents and settings\Matthew\Application Data\wklnhst.dat
2009-09-27 23:46 . 2006-01-29 21:51 1298 ----a-w- c:\documents and settings\Mason\Application Data\wklnhst.dat
2009-09-25 10:50 . 2009-09-25 10:48 -------- d-----w- c:\program files\iTunes
2009-09-25 10:48 . 2009-09-25 10:48 -------- d-----w- c:\program files\iPod
2009-09-25 10:48 . 2007-12-18 22:49 -------- d-----w- c:\program files\Common Files\Apple
2009-09-25 10:35 . 2009-09-25 10:35 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 23:27 . 2005-07-08 14:55 -------- d-----w- c:\documents and settings\Mason\Application Data\MSNInstaller
2009-09-16 14:22 . 2007-12-08 12:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-12-08 12:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-12-08 12:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-12-08 12:54 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-13 20:05 . 2007-04-09 22:22 -------- d-----w- c:\documents and settings\Matthew\Application Data\Apple Computer
2009-09-11 20:33 . 2007-02-25 13:48 -------- d-----w- c:\documents and settings\Mike\Application Data\Apple Computer
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 20:07 . 2008-12-08 23:28 -------- d-----w- c:\program files\Safari
2009-09-11 20:01 . 2009-09-11 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 19:57 . 2009-09-11 19:56 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:21 . 2009-11-05 17:57 99368 ----a-w- c:\documents and settings\adminmike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 21:21 . 2009-10-29 02:03 99368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 16:41 . 2009-08-28 18:27 4680 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-09-05 21:36 . 2008-12-31 00:23 71604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:07 . 2005-05-07 18:18 99368 ----a-w- c:\documents and settings\Laura\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 13:58 . 2008-08-07 22:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-29 08:08 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-10 19:36 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-08-03 16:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:02 . 2005-05-07 12:57 99368 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 18:32 . 2006-12-25 20:37 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 18:04 . 2004-08-10 18:13 77915 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-27 21:30 . 2009-08-27 21:30 2855 ----a-w- c:\windows\PIF\SPORESetup.PIF
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 19:32 . 2009-08-24 19:32 152576 ----a-w- c:\documents and settings\Laura\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 16:11 . 2009-08-23 16:11 75637184 ----a-w- C:\Quicken_Deluxe_2009.exe
2009-08-21 08:45 . 2008-10-07 07:21 100056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\BOGUS - fcqpql ----

((((((((((((((((((((((((((((( SnapShot@2009-11-05_20.08.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 12:14 . 2009-11-07 12:14 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
+ 2005-05-26 08:16 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\wups2.dll
+ 2005-05-07 18:21 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\wups.dll
+ 2009-11-07 12:11 . 2009-11-07 12:11 68961 c:\windows\SYSTEM32\DRIVERS\gmer.sys
+ 2005-05-07 18:21 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2005-05-07 00:13 . 2009-11-09 22:16 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-07 00:13 . 2009-11-05 18:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-07 00:13 . 2009-11-05 18:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-11-08 23:47 . 2009-11-09 22:16 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-11-06 17:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-06 17:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-11-07 12:11 . 2006-11-28 20:23 573440 c:\windows\gmer.exe
+ 2009-11-07 12:11 . 2009-11-07 12:11 565311 c:\windows\gmer.dll
+ 2004-08-04 10:00 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-11-06 17:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-04-29 26112]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 327680]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 36640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-09 1695744]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-03 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-31 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Verizon Online Support Center.lnk - c:\program files\Verizon Online\bin\matcli.exe [2005-5-7 204800]
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-9-20 238080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Games\\LieroX v0.56 Pack 1.9\\LieroX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\MSN Toolbar Suite\\DS\\02.05.0001.1119\\en-us\\bin\\WindowsSearch.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/30/2009 5:23 PM 64288]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [5/7/2005 12:24 PM 34916]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\SYSTEM32\DRIVERS\fantom.sys [3/10/2006 3:55 PM 39424]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:21]

2009-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-08 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
TCP: {C8D32626-60AE-4ACB-93B7-EA2D39E2D568} = 77.74.48.113
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RoxioDragToDisc = "c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"?\Windows Desktop Search.lnk?????????????????????????C:\Documents and S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,a3,61,bd,5a,9e,44,a2,32,40,\

[HKEY_USERS\S-1-5-21-2063061788-1251265980-2345815548-1007\Software\SecuROM\License information*]
"datasecu"=hex:f1,37,4a,62,73,e7,08,9a,62,3d,66,9e,7e,99,6d,40,27,3d,92,93,8c,
9d,42,fa,e4,c0,eb,18,34,76,af,a1,04,c2,04,c2,da,18,37,1a,f4,1d,96,d8,72,af,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_USERS\S-1-5-21-2063061788-1251265980-2345815548-1008\Software\SecuROM\License information*]
"datasecu"=hex:0e,5e,db,37,5d,f6,1f,68,d9,03,13,be,c4,44,ee,72,48,e7,ac,e6,a8,
7d,49,e5,4a,b4,a9,fc,f4,98,a6,15,53,ec,9f,45,ee,84,71,61,5a,e2,aa,6e,c7,a8,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(424)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(4988)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-09 17:48
ComboFix-quarantined-files.txt 2009-11-09 22:48
ComboFix2.txt 2009-11-08 22:08
ComboFix3.txt 2009-11-05 20:25

Pre-Run: 18,534,162,432 bytes free
Post-Run: 18,491,019,264 bytes free

- - End Of File - - 5AF9B0A7B71CC3ABEE992A58A0527526

Free Malware Removal Forum

browser hijacked and other FakeAlert trojans/pop-ups.

browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Re: browser hijacked and other FakeAlert trojans/pop-ups.

Who is online