Malware

Spontaneous addition of routes in WinXp

There is a machine with WinXp SP3.
Spontaneous addition of routes is noticed.
A dependence has been noticed - when certain sites (for example, twitter, google) are opened in a browser (Opera / Firefox / Chrome), routes are guaranteed to be added.

Active Routes:
Network Address Mask Mask Address Gateway Metric Interface
0.0.0.0 0.0.0.0 10.77.0.1 10.77.0.77 1
10.77.0.0 255.255.255.0 10.77.0.77 10.77.0.77 10
10.77.0.77 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.2555 255.255.255.255 10.77.0.77 10.77.0.77 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
173.194.69.101 255.255.255.255 10.77.0.1 10.77.0.77 1
173.194.69.113 255.255.255.255 10.77.0.1 10.77. 0.77 1
173.194.69.138 255.255.255.255 10.77.0.1 10.77.0.77 1
209.85.173.104 255.255.255.255 10.77.0.1 10.77.0.77 1
224.0.0.0 0.0.0.0.0 10.77.0.77 10.77.0.77 10
255.255.255.255 255.255.255.255 255.255.255.255. 10.77.0.77 10.77. 0.77 1
Default gateway: 10.77.0.1
Permanent routes:
None

(Left routes are decorated with a link)

I suspect that this is the tail of some trojan or virus.
The system has been checked by Avast, Microsoft essentials, Advanced SystemCare - they all say that there is nothing suspicious.

sfc /scannow - also done

Routes are not added using route.exe - I made a stub that wrote to the log instead of installing. There are no calls.
What else can be done?

PS
I suspect that the routes are added by calling CreateIpForwardEntry (which is in iphlpapi.dll). Whether it is possible by means of any monitor to trace, what dll/exe/sys pulls this function?