1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

rz4Xg2.exe Anyone know what this is and where it may be located on windows XP?

Discussion in 'Virus & Other Malware Removal' started by beardbuster, Nov 1, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    Hello...
    When my daughter starts her system, window XP Pro, a window pops up saying the system needs to shut down due to the following RZ4XG2.exe I have searched online and can't find that anywhere... What is it? I can't use system restore because this is a home school computer and we do not have admin access...
    I will include some snap shots of popup boxes also...
    I also will run an post the log files requested...
    THANKS in advance...
    Clyde

    [​IMG]

    [​IMG]


    *************************************************
    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows XP Professional, Service Pack 2, 32 bit
    Processor: AMD Sempron(tm) Processor LE-1300, x86 Family 15 Model 127 Stepping 2
    Processor Count: 1
    RAM: 1791 Mb
    Graphics Card: ATI Radeon 3100 Graphics, 700 Mb
    Hard Drives: C: Total - 76316 MB, Free - 65647 MB;
    Motherboard: Hewlett-Packard, 3029h
    Antivirus: Total Protection for Small Business, Updated: No, On-Demand Scanner: Enabled
    ***************************************************
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:47:03 AM, on 11/1/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.Exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    C:\WINDOWS\avp32.exe
    C:\WINDOWS\mdm.exe
    C:\WINDOWS\setup.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\WINDOWS\win16.exe
    C:\Program Files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    C:\WINDOWS\iexplarer.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    C:\WINDOWS\avp32.exe
    C:\WINDOWS\mdm.exe
    C:\WINDOWS\setup.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    C:\WINDOWS\win16.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\iexplarer.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
    C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe
    C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
    C:\Program Files\Clearwire\Connection Manager\SwiApiMuxCdma.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
    O1 - Hosts: 72.52.4.76 www.limewire.com
    O1 - Hosts: 72.52.4.76 www.frostwire.com
    O1 - Hosts: 72.52.4.76 www.bit-torrent.com
    O1 - Hosts: 72.52.4.76 www.bearshare.com
    O1 - Hosts: 72.52.4.76 www.zeropaid.com
    O1 - Hosts: 72.52.4.76 www.felmlee.com
    O1 - Hosts: 72.52.4.76 www.gnutelliums.com
    O1 - Hosts: 72.52.4.76 phex.sourceforge.net
    O1 - Hosts: 72.52.4.76 www.revolutionarystuff.com
    O1 - Hosts: 72.52.4.76 www.xolox.nl
    O1 - Hosts: 72.52.4.76 www.grokster.com
    O1 - Hosts: 72.52.4.76 www.morpheus.com
    O1 - Hosts: 72.52.4.76 www.music-e.net
    O1 - Hosts: 72.52.4.76 www.chadsmp3s.com
    O1 - Hosts: 72.52.4.76 www.napster.com
    O1 - Hosts: 72.52.4.76 www.napstermp3.com
    O1 - Hosts: 72.52.4.76 www.shareaza.com
    O1 - Hosts: 72.52.4.76 www.neo-modus.com
    O1 - Hosts: 72.52.4.76 www.filetopia.org
    O1 - Hosts: 72.52.4.76 www.imesh.com
    O1 - Hosts: 72.52.4.76 www.gnutellaforums.com
    O1 - Hosts: 72.52.4.76 www.kazaa.com
    O1 - Hosts: 72.52.4.76 www.torrent-finder.com
    O1 - Hosts: 72.52.4.76 www.sharetv.org
    O1 - Hosts: 72.52.4.76 www.btjunkie.org
    O1 - Hosts: 72.52.4.76 www.filemp3.org
    O1 - Hosts: 72.52.4.76 www.torrentbytes.net
    O1 - Hosts: 72.52.4.76 www.thepiratebay.org
    O1 - Hosts: 72.52.4.76 www.torrentz.com
    O1 - Hosts: 72.52.4.76 www.torrents.to
    O1 - Hosts: 72.52.4.76 www.torrentmatrix.com
    O1 - Hosts: 72.52.4.76 www.isohunt.com
    O1 - Hosts: 72.52.4.76 www.torrent-damage.net
    O1 - Hosts: 72.52.4.76 www.meganova.org
    O1 - Hosts: 72.52.4.76 www.fulldls.com
    O1 - Hosts: 72.52.4.76 www.scrapetorrent.com
    O1 - Hosts: 72.52.4.76 www.thinktorrent.com
    O1 - Hosts: 72.52.4.76 www.filelist.org
    O1 - Hosts: 72.52.4.76 www.torrentlocomotive.com
    O1 - Hosts: 72.52.4.76 www.porn.com
    O1 - Hosts: 72.52.4.76 www.whitehouse.com
    O1 - Hosts: 72.52.4.76 www.xxx.com
    O1 - Hosts: 72.52.4.76 www.Slyuser.com
    O1 - Hosts: 72.52.4.76 www.foxyproxy.com
    O1 - Hosts: 72.52.4.76 www.ugoplayer.com
    O1 - Hosts: 72.52.4.76 www.rapidojeux.com
    O1 - Hosts: 72.52.4.76 www.zango.com
    O1 - Hosts: 72.52.4.76 www.erotic.com
    O1 - Hosts: 72.52.4.76 www.penthouse.com
    O1 - Hosts: 72.52.4.76 www.playboy.com
    O1 - Hosts: 72.52.4.76 www.hustler.com
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.Exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [HNUiiHXlqe] C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    O4 - HKLM\..\Run: [MKZSc] C:\WINDOWS\avp32.exe
    O4 - HKLM\..\Run: [MKcZ] C:\WINDOWS\mdm.exe
    O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKLM\..\Run: [HNUiiHXlud] C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win16.exe
    O4 - HKLM\..\Run: [HNUiiHXlotc] C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    O4 - HKLM\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
    O4 - HKLM\..\Run: [HNUiiHXlie] C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    O4 - HKLM\..\Run: [Mzufetalajoqib] rundll32.exe "C:\WINDOWS\ebecupuw.dll",Startup
    O4 - HKLM\..\Run: [uPc+MV0NkMJsiv] rundll32.exe C:\WINDOWS\system32\eek4l.dll, SystemServer
    O4 - HKLM\..\Run: [HNUiiHXlfP] C:\DOCUME~1\Parent\LOCALS~1\Temp\rz4xg2.exe
    O4 - HKLM\..\Run: [Clearwire Connection Manager] "C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe" -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [HNUiiHXlfP] C:\DOCUME~1\Parent\LOCALS~1\Temp\rz4xg2.exe
    O4 - HKCU\..\Run: [HNUiiHXlqe] C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    O4 - HKCU\..\Run: [MKZSc] C:\WINDOWS\avp32.exe
    O4 - HKCU\..\Run: [uunkhfpa] C:\DOCUME~1\Parent\LOCALS~1\Temp\xfmgdynbc\clltyeuusbs.exe
    O4 - HKCU\..\Run: [MKcZ] C:\WINDOWS\mdm.exe
    O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKCU\..\Run: [HNUiiHXlud] C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win16.exe
    O4 - HKCU\..\Run: [HNUiiHXlotc] C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    O4 - HKCU\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
    O4 - HKCU\..\Run: [HNUiiHXlie] C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    O4 - HKCU\..\Run: [Btedumamumus] rundll32.exe "C:\WINDOWS\MFATINKE.dll",Startup
    O4 - HKCU\..\Run: [uPc+MV0NkMJsiv] rundll32.exe C:\WINDOWS\system32\eek4l.dll, SystemServer
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2011\aro.exe -rem
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1179847293578
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\nt7ut.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Clearwire Device Diagnostics Service (clearwireDeviceDiagnosticsService) - Unknown owner - C:\Program Files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe
    O23 - Service: Clearwire RcAppSvc (CLEARWIRERcAppSvc) - SmithMicro Inc. - C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
    O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    O23 - Service: Clearwire Device Launch Service (SMSI Device Launch Service) - Unknown owner - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 10357 bytes
    ****************************************************************

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Parent at 7:49:05 on 2011-11-01
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1791.602 [GMT -7:00]
    .
    AV: Total Protection for Small Business *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.Exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    C:\WINDOWS\avp32.exe
    C:\WINDOWS\mdm.exe
    C:\WINDOWS\setup.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\WINDOWS\win16.exe
    C:\Program Files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    C:\WINDOWS\iexplarer.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\setup.exe
    C:\WINDOWS\avp32.exe
    C:\WINDOWS\mdm.exe
    C:\WINDOWS\setup.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\system.exe
    C:\WINDOWS\win16.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\hexdump.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\iexplarer.exe
    C:\DOCUME~1\Parent\LOCALS~1\Temp\Setup.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
    C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe
    C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
    C:\Program Files\Clearwire\Connection Manager\SwiApiMuxCdma.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    svchost.exe -m
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\UpdDlg.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uInternet Settings,ProxyServer = http=127.0.0.1:8075
    uInternet Settings,ProxyOverride = <local>
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [HNUiiHXlfP] c:\docume~1\parent\locals~1\temp\rz4xg2.exe
    uRun: [HNUiiHXlqe] c:\docume~1\parent\locals~1\temp\setup.exe
    uRun: [MKZSc] c:\windows\avp32.exe
    uRun: [uunkhfpa] c:\docume~1\parent\locals~1\temp\xfmgdynbc\clltyeuusbs.exe
    uRun: [MKcZ] c:\windows\mdm.exe
    uRun: [MKevc] c:\windows\setup.exe
    uRun: [HNUiiHXlud] c:\docume~1\parent\locals~1\temp\system.exe
    uRun: [MKfPc] c:\windows\win16.exe
    uRun: [HNUiiHXlotc] c:\docume~1\parent\locals~1\temp\hexdump.exe
    uRun: [MKbuqc] c:\windows\iexplarer.exe
    uRun: [HNUiiHXlie] c:\docume~1\parent\locals~1\temp\Setup.exe
    uRun: [Btedumamumus] rundll32.exe "c:\windows\MFATINKE.dll",Startup
    uRun: [uPc+MV0NkMJsiv] rundll32.exe c:\windows\system32\eek4l.dll, SystemServer
    uRun: [AROReminder] c:\program files\aro 2011\aro.exe -rem
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
    mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\myAgtTry.Exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [HNUiiHXlqe] c:\docume~1\parent\locals~1\temp\setup.exe
    mRun: [MKZSc] c:\windows\avp32.exe
    mRun: [MKcZ] c:\windows\mdm.exe
    mRun: [MKevc] c:\windows\setup.exe
    mRun: [HNUiiHXlud] c:\docume~1\parent\locals~1\temp\system.exe
    mRun: [MKfPc] c:\windows\win16.exe
    mRun: [HNUiiHXlotc] c:\docume~1\parent\locals~1\temp\hexdump.exe
    mRun: [MKbuqc] c:\windows\iexplarer.exe
    mRun: [HNUiiHXlie] c:\docume~1\parent\locals~1\temp\Setup.exe
    mRun: [Mzufetalajoqib] rundll32.exe "c:\windows\ebecupuw.dll",Startup
    mRun: [uPc+MV0NkMJsiv] rundll32.exe c:\windows\system32\eek4l.dll, SystemServer
    mRun: [HNUiiHXlfP] c:\docume~1\parent\locals~1\temp\rz4xg2.exe
    mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179847293578
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 66.233.175.12 75.94.255.12
    TCP: Interfaces\{4DB1283A-62C5-4EDF-AC39-55B5616516EA} : DhcpNameServer = 66.233.175.12 75.94.255.12
    Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.5.1.191.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    STS: c:\windows\system32\nt7ut.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\nt7ut.dll
    LSA: Authentication Packages = msv1_0 nwprovau
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    Hosts: 72.52.4.76 www.limewire.com
    Hosts: 72.52.4.76 www.frostwire.com
    Hosts: 72.52.4.76 www.bit-torrent.com
    Hosts: 72.52.4.76 www.bearshare.com
    Hosts: 72.52.4.76 www.zeropaid.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-12-2 24064]
    R1 HMFAxCoreac1538dd22fa7acfd433f47c679ad9da;HMFAxCoreac1538dd22fa7acfd433f47c679ad9da;c:\windows\system32\drivers\HMFAxCoreac1538dd22fa7acfd433f47c679ad9da.sys [2010-12-9 22304]
    R2 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;c:\program files\clearwire\connection manager\clearwireDeviceDiagnosticsService.exe [2010-6-17 398848]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2007-5-30 140864]
    R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2011-5-11 107856]
    R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2011-4-1 340480]
    R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2011-4-1 48768]
    R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2011-5-11 120144]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-12-2 44800]
    R3 McShield;McShield;c:\program files\mcafee\managed virusscan\vscan\McShield.exe [2007-5-30 144960]
    R3 MfeAVFK;McAfee Inc.;c:\windows\system32\drivers\MfeAVFK.sys [2007-5-22 72296]
    R3 MfeBOPK;McAfee Inc.;c:\windows\system32\drivers\MfeBOPK.sys [2007-5-22 34184]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-5-22 170408]
    S2 aaqzvytvv;Config Installer;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
    .
    =============== Created Last 30 ================
    .
    2011-11-01 14:46:25 388096 ----a-r- c:\documents and settings\parent\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-01 14:46:24 -------- d-----w- c:\program files\Trend Micro
    2011-10-31 14:30:11 -------- d-sh--w- c:\documents and settings\parent\PrivacIE
    2011-10-31 14:30:11 -------- d-----w- c:\documents and settings\parent\local settings\application data\Yahoo
    2011-10-31 14:26:37 -------- d-sh--w- c:\documents and settings\parent\IETldCache
    2011-10-31 14:19:08 -------- d-----w- c:\program files\Yahoo!
    2011-10-31 14:17:15 -------- dc-h--w- c:\windows\ie8
    2011-10-31 14:17:01 -------- d--h--w- c:\windows\msdownld.tmp
    2011-10-28 14:13:11 -------- d-----w- c:\documents and settings\parent\application data\Sammsoft
    2011-10-28 14:12:54 -------- d-----w- c:\program files\ARO 2011
    2011-10-28 11:45:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-27 23:55:45 -------- d-----w- c:\documents and settings\parent\application data\Clearwire
    2011-10-27 23:55:44 39632 ----a-w- c:\windows\system32\drivers\swmsflt.sys
    2011-10-27 23:55:03 -------- d-----w- c:\program files\common files\PctelEapPeer Authentication
    2011-10-27 23:54:56 -------- d-----w- c:\program files\Clearwire
    2011-10-27 23:54:56 -------- d-----w- c:\documents and settings\all users\application data\Clearwire
    2011-10-27 20:56:26 -------- d-----w- c:\program files\Lavasoft
    2011-10-27 20:53:20 -------- d-----w- c:\program files\Webroot
    2011-10-27 20:53:20 -------- d-----w- c:\documents and settings\parent\application data\Webroot
    2011-10-27 20:52:50 44032 ----a-w- c:\windows\Unwash5.exe
    2011-10-27 12:57:35 -------- d-----w- c:\windows\pss
    2011-10-27 12:36:43 -------- d-----w- c:\windows\system32\appmgmt
    2011-10-26 14:57:09 -------- d-----w- c:\documents and settings\all users\application data\Links 2003
    2011-10-26 14:48:42 -------- d-----w- c:\program files\Microsoft Games
    .
    ==================== Find3M ====================
    .
    2011-10-31 13:44:02 0 ----a-w- c:\windows\Iqumiv.bin
    .
    ============= FINISH: 7:49:30.82 ===============

    *****************************************************************

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-01 08:20:44
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380815AS rev.3.CHH
    Running: 6p08w6l1.exe; Driver: C:\DOCUME~1\Parent\LOCALS~1\Temp\ffwcifow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\HMFAxCoreac1538dd22fa7acfd433f47c679ad9da.sys (Hide My Folders AX Control Core Driver/Eltima Software) ZwCreateFile [0xBA1394A8] <-- ROOTKIT !!!
    SSDT \??\C:\WINDOWS\system32\drivers\HMFAxCoreac1538dd22fa7acfd433f47c679ad9da.sys (Hide My Folders AX Control Core Driver/Eltima Software) ZwOpenFile [0xBA1396A6] <-- ROOTKIT !!!
    SSDT \??\C:\WINDOWS\system32\drivers\HMFAxCoreac1538dd22fa7acfd433f47c679ad9da.sys (Hide My Folders AX Control Core Driver/Eltima Software) ZwQueryDirectoryFile [0xBA13981A] <-- ROOTKIT !!!

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9D43527]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9D43551]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9D43511]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9D434E7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9D43567]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9D4353B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 805018C4 7 Bytes JMP A9D4353F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A6286 7 Bytes JMP A9D43555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A709C 5 Bytes JMP A9D4356B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AC81E 7 Bytes JMP A9D43515 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805C601E 5 Bytes JMP A9D4352B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C77FE 5 Bytes JMP A9D434EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB98A9000, 0x1A4422, 0xE8000020]
    ? C:\DOCUME~1\Parent\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FE5
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070058
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F63
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0007003D
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070F80
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0007001B
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700A1
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070084
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700D7
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700C6
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000700F2
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0007002C
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070FD4
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070069
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070FAF
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0007000A
    .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F48
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00060FBC
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0006004A
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00060FCD
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00060FDE
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00060F97
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00060039
    .text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00060028
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050081
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050066
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005003A
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005004B
    .text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
    .text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FE5
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B50FEF
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B50F5F
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B50F7A
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B50054
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B50043
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B50FB2
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B50F22
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B50F33
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B50EFD
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B50096
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B500B1
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B50F97
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B50FD4
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B50F44
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B50014
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B50FC3
    .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B50085
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00B40FD4
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00B40076
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00B40025
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00B4000A
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00B40065
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00B40FEF
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00B40FC3
    .text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00B40040
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30FB2
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B3003D
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30022
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30FD7
    .text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30011
    .text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B20000
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C6000A
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C600A4
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C60FA5
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C60FC0
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C6007D
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C60FDB
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C600C1
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C60F79
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C600E6
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C60F4D
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C60F32
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C6006C
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C6001B
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C60F8A
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C60047
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C6002C
    .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C60F5E
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C5001B
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C50F94
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C50FCA
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C50FDB
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C50FA5
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C50000
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C5003D
    .text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C5002C
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FB7
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40042
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FD2
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FEF
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40031
    .text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C4000C
    .text C:\WINDOWS\system32\svchost.exe[896] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C30FEF
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A00000
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A00084
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A00F8F
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A00FAC
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A00069
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A00058
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A000A6
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A00F6A
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A00F39
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A000D2
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A00F28
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A00FD1
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A00011
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A00095
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A0003D
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A00022
    .text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A000C1
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 009F0FCD
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 009F0F97
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 009F0FDE
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 009F0FEF
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 009F0FB2
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 009F0000
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 009F0054
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 009F002F
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E005D
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0042
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FE3
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FD2
    .text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E001D
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1024] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 01819DB4
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02D70FEF
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02D70042
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02D70F4D
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02D70F5E
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02D70F79
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02D70F94
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02D70084
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02D70067
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02D70F2B
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02D700BA
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02D70F10
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02D7001B
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02D70FCA
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02D70F3C
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02D70000
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02D70FAF
    .text C:\WINDOWS\System32\svchost.exe[1024] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02D7009F
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02D60FB6
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02D60022
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02D60011
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02D60FDB
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02D60F6F
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02D60000
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02D60F80
    .text C:\WINDOWS\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02D60FA5
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 028A0FD9
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 028A005A
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 028A002E
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 028A0000
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 028A0049
    .text C:\WINDOWS\System32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 028A001D
    .text C:\WINDOWS\System32\svchost.exe[1024] NETAPI32.dll!NetpwPathCanonicalize 5B86A101 5 Bytes JMP 01819D54
    .text C:\WINDOWS\System32\svchost.exe[1024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02890FE5
    .text C:\WINDOWS\System32\svchost.exe[1024] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 02880FEF
    .text C:\WINDOWS\System32\svchost.exe[1024] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 02880000
    .text C:\WINDOWS\System32\svchost.exe[1024] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 02880011
    .text C:\WINDOWS\System32\svchost.exe[1024] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 02880FB6
    .text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 00799DB4
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00930086
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00930075
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00930F9B
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00930058
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00930036
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009300BE
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00930F76
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009300FE
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00930F5B
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00930119
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00930047
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0093001B
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00930097
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00930FCA
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00930FE5
    .text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009300CF
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0078002F
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0078006C
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00780FD4
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00780FEF
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0078005B
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0078000A
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0078004A
    .text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00780FC3
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770FB9
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FD4
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770033
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770044
    .text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770018
    .text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0076000A
    .text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00750000
    .text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 0075001B
    .text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00750036
    .text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00750FDB
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E0FEF
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0F6D
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E006C
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E005B
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0F9E
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E002F
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E00B3
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E0098
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E00DF
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E0F50
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006E0F2B
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 006E0040
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 006E0FD4
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 006E0087
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 006E0FB9
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 006E000A
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 006E00CE
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 006D0FCA
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 006D0051
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 006D0FE5
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 006D001B
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 006D0F9E
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 006D0000
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 006D0FAF
    .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 006D0040
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0FB7
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FC8
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FD9
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0000
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C002E
    .text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C001D
    .text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0026000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 002600A2
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260087
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260076
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FDE
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F61
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F88
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600F0
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002600DF
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00260101
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00260065
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0026001B
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 002600B3
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00260FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00260040
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002600C4
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00340025
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0034004A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0034000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00340FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00340F8D
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00340FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00340FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00340FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 00CE1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 00D7DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 00D84832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00CA9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00D7DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00E9E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00E9DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00E9DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00E9DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00E9DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00E9E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00E9DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350F89
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350F9A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00350000
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350FAB
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350FD2
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D8488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 0246000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 02460025
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 02460036
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 02460047
    .text C:\Program Files\Internet Explorer\iexplore.exe[1268] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 02DD0000
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0F61
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A0056
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A003B
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A0F7C
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A0FA8
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A00A2
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A0F50
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A00C4
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A0F2B
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009A00DF
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009A0F8D
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009A0FD4
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009A007B
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009A000A
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009A0FC3
    .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009A00B3
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00650036
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0065007D
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00650025
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0065000A
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0065006C
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650FEF
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0065005B
    .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00650FD4
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640031
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640F9C
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0064000C
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FE3
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FB7
    .text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD2
    .text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00620FEF
    .text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00620014
    .text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00620FDE
    .text C:\WINDOWS\system32\svchost.exe[1508] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00620FC3
    .text C:\WINDOWS\system32\svchost.exe[1508] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00630FEF
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F83
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F9E
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0FAF
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0062
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0036
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A009A
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0089
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00D0
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F41
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0F1C
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0051
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0FE5
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0F68
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0FCA
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A001B
    .text C:\WINDOWS\explorer.exe[4228] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A00BF
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00280022
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00280058
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00280011
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00280FDB
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00280F9B
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00280000
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00280033
    .text C:\WINDOWS\explorer.exe[4228] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00280FB6
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290038
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FB7
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FE3
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FD2
    .text C:\WINDOWS\explorer.exe[4228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290000
    .text C:\WINDOWS\explorer.exe[4228] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 002B0FEF
    .text C:\WINDOWS\explorer.exe[4228] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 002B0000
    .text C:\WINDOWS\explorer.exe[4228] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 002B0FCA
    .text C:\WINDOWS\explorer.exe[4228] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 002B001B
    .text C:\WINDOWS\explorer.exe[4228] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 021A0FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260054
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260F5F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260F7C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0026002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260091
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260080
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00260F24
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002600BD
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002600D8
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00260F8D
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00260FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 0026006F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00260014
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00260FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002600AC
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00340FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00340F68
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00340FDB
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00340011
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00340F83
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00340000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00340F9E
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00340FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 00D84832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00CA9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00E9E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00E9DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00E9DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00E9DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00E9DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00E9E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00E9DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0035007F
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350064
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00350038
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350053
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350011
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 009D0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 009D0FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 009D0011
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 009D002C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4368] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0026007B
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260F86
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260060
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260FA1
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FB2
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F4E
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260096
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00260F18
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F33
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00260EF3
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00260039
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00260FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00260F6B
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00260014
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00260FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002600B1
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00340014
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00340F7C
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00340FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00340FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00340F97
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00340FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0034002F
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00340FA8
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 00CE1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 00D7DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 00D84832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00CA9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00D7DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00E9E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00E9DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00E9DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00E9DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00E9DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00E9E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00E9DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350049
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!system 77C293C7 5 Bytes JMP 0035002E
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0035001D
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350FBE
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0035000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D8488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 0246000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 0246001B
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 0246002C
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 0246003D
    .text C:\Program Files\Internet Explorer\iexplore.exe[5004] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 02DC0FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260000
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260FA5
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260090
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0026007F
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260062
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FC0
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002600CB
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F83
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00260F4D
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002600DC
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 0026010B
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00260047
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00260011
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00260F94
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00260FD1
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00260022
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00260F68
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00340FD4
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00340F8A
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00340025
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0034000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00340051
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00340FEF
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00340040
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00340FC3
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 00CE1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 00D7DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 00D84832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00CA9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 00D7DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00E9E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00E9DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00E9DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00E9DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00E9DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00E9E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00E9DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350FC1
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350FD2
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00350038
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350000
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350FE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350011
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D8488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 025B0000
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 025B0011
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 025B0022
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 025B0FD1
    .text C:\Program Files\Internet Explorer\iexplore.exe[6232] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 02F20000
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FE5
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0067
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F68
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0036
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F79
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B001B
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0093
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F57
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00DA
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00C9
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B00F5
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0F94
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0FD4
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0078
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FAF
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B000A
    .text C:\WINDOWS\system32\wuauclt.exe[6872] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B00AE
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FC8
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290053
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290038
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FE3
    .text C:\WINDOWS\system32\wuauclt.exe[6872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0025
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F94
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0FD4
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A000A
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0047
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0FAF
    .text C:\WINDOWS\system32\wuauclt.exe[6872] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0036
    ? C:\WINDOWS\System32\svchost.exe[8504] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: MFC42.DLLunknown module: OLEAUT32.dll
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FE5
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F5F
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A004A
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F70
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A002F
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FA8
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A008C
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F3A
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F04
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A009D
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A00AE
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0F8D
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0FD4
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0065
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0014
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FC3
    .text C:\WINDOWS\System32\svchost.exe[8504] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A0F1F
    .text C:\WINDOWS\System32\svchost.exe[8504] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00280000
    .text C:\WINDOWS\System32\svchost.exe[8504] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00280FE5
    .text C:\WINDOWS\System32\svchost.exe[8504] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00280FD4
    .text C:\WINDOWS\System32\svchost.exe[8504] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00280FB9
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290044
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290033
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC3
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290018
    .text C:\WINDOWS\System32\svchost.exe[8504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0FA8
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F68
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0FC3
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0FD4
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0F79
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0025
    .text C:\WINDOWS\System32\svchost.exe[8504] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0014
    .text C:\WINDOWS\System32\svchost.exe[8504] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002C0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] aaqzvytvv <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Config Installer
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aaqzvytvv\Parameters
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aaqzvytvv\[email protected] C:\WINDOWS\system32\isagt.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Config Installer
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 32
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 2
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] LocalSystem
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Reg HKLM\SYSTEM\ControlSet002\Services\aaqzvytvv\Parameters (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\aaqzvytvv\[email protected] C:\WINDOWS\system32\isagt.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\[email protected] 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2B220C1-A503-59BD-F413-01B53A2C8953}

    ---- EOF - GMER 1.0.15 ----
     
  2. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,777
    are you still getting help at bleeping computer?

    That thread seems to have progressed further than this one.
     
  3. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    I was but the links they give me do not work so I am vacating them if that is OK?
    I have used this forum years ago and this is where I wanted to start but lost the link till I scanned my email account and found same... This is where I want to be!!
    I hope that is Okay?
    No disrespect intended..
     
  4. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,777
    None taken......I was just looking at it from a 'fastest completion time' point of view.

    If we don't get someone in here to take a gander in the next day or so, just type 'bump' to get it to the top, and I'll try to flag someone down for you.

    thanks,

    v
     
  5. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    THANKS...
    ...sure would like to fix my girls computer for them...
     
  6. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,777
    we'll get it taken care of.....just be patient. :)
     
  7. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    I will and I am...
    I am so glad I found you guys again...
    TRUST is not an issue and I am a patient person... with 6 children a man has to be LOL
     
  8. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hi and welcome to TSG.

    I am reviewing your logs and will respond with a reply as soon as I can.

    Please note that all my replies are reviewed by a qualified Analyst before I post. This ensures that you will continue to receive quality expert assistance.

    Thank you for your patience.
     
  9. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,777
    Thanks, Larusso.....:)
     
  10. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    You are welcome valis


    Hy beardbuster,
    my name is Daniel and I will be assisting you with your Malware related problems.

    Before we move on, please read the following points carefully.
    • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
    • Perform everything in the correct order. Sometimes one step requires the previous one.
    • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
    • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
    • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
    • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
    • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
    • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.


    Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.
    • You should now be in the Internet Options screen. Select the Connections tab.
    • Click on Lan Settings
    • Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen.

    You should now be able to use your IE. Do not reboot your system now.



    Please download and scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Note: Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    You can use this thread as a guide.

    Please include the C:\ComboFix.txt in your next reply for further review.



    Please post in your next reply
    Combofix.txt
     
  11. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hello, are you still with us?

    If you do not reply within 24 hours I will unsubscribe this thread and wont be notified about new replies.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    As it's important to reply in a timely manner when dealing with malware, and even more so when a trainee is assisting so as not to hinder their progress, please note that due to your failure to reply, Larusso will be moving on to help others who are patiently waiting for assistance. I will revert the thread status back to "NEW" and leave it open until it automatically closes due to inactivity. :)
     
  13. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    Hello I am so SORRY!!!
    I moved and just now have internet access again...
    How do I restart this thread for help?
    THANKS in advance!!!
    Clyde
     
  14. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
    ComboFix 11-12-04.02 - Parent 12/04/2011 7:57.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1791.1385 [GMT -5:00]
    Running from: c:\documents and settings\Parent\My Documents\Downloads\ComboFix.exe
    AV: Total Protection for Small Business *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\Parent\LOCALS~1\Temp\hexdump.exe
    c:\docume~1\Parent\LOCALS~1\Temp\rz4xg2.exe
    c:\docume~1\Parent\LOCALS~1\Temp\setup.exe
    c:\docume~1\Parent\LOCALS~1\Temp\system.exe
    c:\documents and settings\All Users\Application Data\Tarma Installer
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
    c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Parent\Local Settings\Application Data\{31E268AF-ACA7-496C-A9D6-E0CDEB3EE31D}
    c:\documents and settings\Parent\Local Settings\Application Data\{31E268AF-ACA7-496C-A9D6-E0CDEB3EE31D}\chrome.manifest
    c:\documents and settings\Parent\Local Settings\Application Data\{31E268AF-ACA7-496C-A9D6-E0CDEB3EE31D}\chrome\content\_cfg.js
    c:\documents and settings\Parent\Local Settings\Application Data\{31E268AF-ACA7-496C-A9D6-E0CDEB3EE31D}\chrome\content\overlay.xul
    c:\documents and settings\Parent\Local Settings\Application Data\{31E268AF-ACA7-496C-A9D6-E0CDEB3EE31D}\install.rdf
    c:\documents and settings\Parent\Local Settings\Application Data\syssvc.exe
    c:\documents and settings\Parent\WINDOWS
    c:\windows\avp.exe
    c:\windows\avp32.exe
    c:\windows\ebecupuw.dll
    c:\windows\iexplarer.exe
    c:\windows\mdm.exe
    c:\windows\MFATINKE.dll
    c:\windows\setup.exe
    c:\windows\system\oeminfo.ini
    c:\windows\system\WINSPOOL.DRV
    c:\windows\system32\6to4v32.dll
    c:\windows\system32\certstore.dat
    c:\windows\system32\Iasv32.dll
    c:\windows\system32\Ipripv32.dll
    c:\windows\system32\isagt.dll
    c:\windows\system32\nt7Ut.dll
    c:\windows\win16.exe
    c:\windows\wininst.exe
    .
    c:\windows\system32\msgsvc.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_aaqzvytvv
    -------\Legacy_Iprip
    -------\Service_aaqzvytvv
    -------\Service_Iprip
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-03 20:47 . 1998-05-07 15:57 143872 ----a-w- c:\windows\system32\iacenc.dll
    2011-12-03 20:44 . 2000-09-18 14:25 1232384 ----a-r- c:\program files\Microsoft Games\Links LS 2000\Lstour\TOURPROV.EXE
    2011-12-03 20:44 . 2000-09-18 14:25 735232 ----a-r- c:\program files\Microsoft Games\Links LS 2000\Lstour\LAUNCHER.EXE
    2011-12-03 20:44 . 2001-06-26 19:26 270336 ----a-r- c:\program files\Microsoft Games\Links LS 2000\RES2000.DLL
    2011-12-03 20:44 . 2001-07-11 21:36 320000 ----a-w- c:\program files\Microsoft Games\Links LS 2000\LS2000.EXE
    2011-12-03 20:44 . 2000-10-13 20:15 3735552 ----a-w- c:\program files\Microsoft Games\Links LS 2000\linksls2k.exe
    2011-12-03 20:44 . 2001-06-26 19:27 24576 ----a-r- c:\program files\Microsoft Games\Links LS 2000\UNINST.DLL
    2011-12-03 20:44 . 2001-06-26 19:26 71168 ----a-r- c:\program files\Microsoft Games\Links LS 2000\HFB.DLL
    2011-12-03 20:44 . 2001-06-26 19:26 91648 ----a-r- c:\program files\Microsoft Games\Links LS 2000\DXV.DLL
    2011-12-03 20:44 . 2001-06-26 19:26 160768 ----a-r- c:\program files\Microsoft Games\Links LS 2000\DXAT.DLL
    2011-12-03 20:44 . 2001-06-26 19:27 110592 ----a-r- c:\program files\Microsoft Games\Links LS 2000\VIDEO2K.DLL
    2011-12-03 20:44 . 2001-06-26 19:27 107520 ----a-r- c:\program files\Microsoft Games\Links LS 2000\VWORLD2K.DLL
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-02 20:46 . 2011-11-02 20:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-01 14:46 . 2011-11-01 14:46 388096 ----a-r- c:\documents and settings\Parent\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-09-29 06:53 . 2011-11-02 18:23 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uPc+MV0NkMJsiv"="c:\windows\system32\eek4l.dll" [2011-01-12 30000]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 468544]
    "McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.Exe" [2007-05-18 190016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-09 1044480]
    "uPc+MV0NkMJsiv"="c:\windows\system32\eek4l.dll" [2011-01-12 30000]
    "Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2011-05-11 54608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
    "c:\\Documents and Settings\\Parent\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9256:TCP"= 9256:TCP:nepye
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [12/2/2008 12:09 PM 24064]
    R1 HMFAxCoreac1538dd22fa7acfd433f47c679ad9da;HMFAxCoreac1538dd22fa7acfd433f47c679ad9da;c:\windows\system32\drivers\HMFAxCoreac1538dd22fa7acfd433f47c679ad9da.sys [12/9/2010 9:09 PM 22304]
    R2 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;c:\program files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe [6/17/2010 5:55 PM 398848]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [5/30/2007 4:18 PM 140864]
    R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [5/11/2011 2:08 PM 107856]
    R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [4/1/2011 7:52 AM 340480]
    R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [4/1/2011 7:52 AM 48768]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/2/2008 12:09 PM 44800]
    S2 aaqzvytvv;Config Installer;c:\windows\system32\svchost.exe -k netsvcs [12/31/2002 7:00 AM 14336]
    S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [5/11/2011 2:08 PM 120144]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 2:49 AM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 2:49 AM 8320]
    S3 pcidisk;pcidisk;c:\windows\system32\pcidisk.sys [12/31/2002 7:00 AM 2304]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    aaqzvytvv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1906211764-1294642078-4094575798-1003Core.job
    - c:\documents and settings\Parent\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 14:41]
    .
    2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1906211764-1294642078-4094575798-1003UA.job
    - c:\documents and settings\Parent\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 14:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uInternet Settings,ProxyServer = http=127.0.0.1:8075
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Parent\Application Data\Mozilla\Firefox\Profiles\brocejeg.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-MKZSc - c:\windows\avp32.exe
    HKCU-Run-MKcZ - c:\windows\mdm.exe
    HKCU-Run-MKevc - c:\windows\setup.exe
    HKCU-Run-MKfPc - c:\windows\win16.exe
    HKCU-Run-MKbuqc - c:\windows\iexplarer.exe
    HKCU-Run-Btedumamumus - c:\windows\MFATINKE.dll
    HKLM-Run-MKZSc - c:\windows\avp32.exe
    HKLM-Run-MKcZ - c:\windows\mdm.exe
    HKLM-Run-MKevc - c:\windows\setup.exe
    HKLM-Run-MKfPc - c:\windows\win16.exe
    HKLM-Run-MKbuqc - c:\windows\iexplarer.exe
    HKLM-Run-Mzufetalajoqib - c:\windows\ebecupuw.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-04 08:02
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aaqzvytvv]
    "ServiceDll"="c:\windows\system32\isagt.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(856)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2640)
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\McAfee\Managed VirusScan\VScan\McShield.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-04 08:05:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-04 13:05
    .
    Pre-Run: 69,636,263,936 bytes free
    Post-Run: 69,666,775,040 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - CE1DBC4A8EEB2E5439A2616EB35785CB

    ********************************

    I ran the program as asked and the following popup happened after rebooting:
    [​IMG]
     
  15. beardbuster

    beardbuster Thread Starter

    Joined:
    Jul 2, 2005
    Messages:
    90
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1024950

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice