but could not remove the file. Also found was win32/obfuscator.et
I have no clue how to remove either. please help!!
Trojan:Win32/Alureon.gen!U how to remove? [Solved]
Started by
ag9723
, Aug 11 2009 07:59 PM
-
This topic is locked
#1
Posted 11 August 2009 - 07:59 PM
ag9723
-
- Member
-
- 24 posts
Member
but could not remove the file. Also found was win32/obfuscator.et
I have no clue how to remove either. please help!!
#2
Posted 11 August 2009 - 11:09 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....
Please download The Comedian.exe by Rorschach112 to your desktop
NEXT
Please download Malwarebytes' Anti-Malware from HERE or HERE
Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
NEXT
Please download RSIT by random/random and save it to your Desktop.
NEXT
Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results
Post me these logs in your next reply.. Post each log in separate post..
1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..
Please download The Comedian.exe by Rorschach112 to your desktop
- Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
- Double click the program to run it. It will only take around several minutes to run.
- It will do a series of tasks and tell you when each one is finished.
- You will be prompted to press any key after each step
- When it is done it will close and exit itself automatically.
- You can delete The_Comedian.exe once it is finished
NEXT
Please download Malwarebytes' Anti-Malware from HERE or HERE
Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
NEXT
Please download RSIT by random/random and save it to your Desktop.
- Double click on RSIT.exe to run RSIT
- Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.
NEXT
Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
- Open the renamed program and click on the Rootkit tab.
- Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
- Click on Scan.
- When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results
Post me these logs in your next reply.. Post each log in separate post..
1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..
#3
Posted 13 August 2009 - 06:07 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
Malwarebytes' Anti-Malware 1.40
Database version: 2607
Windows 5.1.2600 Service Pack 3
8/11/2009 9:23:30 PM
mbam-log-2009-08-11 (21-23-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 178563
Time elapsed: 40 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\devry\Local Settings\Temp\Temporary Internet Files\Content.IE5\ROLK3Y6J\spynomore[1].exe (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
Database version: 2607
Windows 5.1.2600 Service Pack 3
8/11/2009 9:23:30 PM
mbam-log-2009-08-11 (21-23-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 178563
Time elapsed: 40 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\devry\Local Settings\Temp\Temporary Internet Files\Content.IE5\ROLK3Y6J\spynomore[1].exe (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
#4
Posted 13 August 2009 - 06:08 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3
8/13/2009 8:52:09 AM
mbam-log-2009-08-13 (08-52-09).txt
Scan type: Full Scan (C:\|)
Objects scanned: 179407
Time elapsed: 48 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Database version: 2615
Windows 5.1.2600 Service Pack 3
8/13/2009 8:52:09 AM
mbam-log-2009-08-13 (08-52-09).txt
Scan type: Full Scan (C:\|)
Objects scanned: 179407
Time elapsed: 48 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#5
Posted 13 August 2009 - 06:09 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
Logfile of random's system information tool 1.06 (written by random/random)
Run by devry at 2009-08-13 19:08:52
Microsoft Windows XP Professional Service Pack 3
System drive C: has 136 GB (89%) free of 153 GB
Total RAM: 895 MB (40% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:00 PM, on 8/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\agrsmsvc.exe
c:\WINDOWS\system32\ifxspmgt.exe
c:\WINDOWS\system32\ifxtcs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\devry\Desktop\RSIT.exe
C:\Program Files\trend micro\devry.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] c:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1178730505484
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...705/mcfscan.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - c:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10011 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011UA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}]
Credential Manager for HP ProtectTools - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll [2006-11-21 71192]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1282048]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1040384]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-01-20 159744]
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-09-05 184320]
"PTHOSTTR"=c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE [2007-01-09 145184]
"IFXSPMGT"=c:\WINDOWS\system32\ifxspmgt.exe [2007-02-15 677408]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2006-07-13 729088]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-10-30 1116920]
"CognizanceTS"=c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll [2003-12-22 17920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-12-11 151552]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-01-05 872448]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
C:\Documents and Settings\devry\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="APSHook.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-02-02 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OneCard]
c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [2007-02-07 74240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ASWLNPkg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\OneCareMP]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 3 months======
2009-08-13 17:08:38 ----A---- C:\WINDOWS\system32\logon.exe
2009-08-13 17:08:32 ----A---- C:\WINDOWS\system32\SKYNETeotvtelt.dll
2009-08-13 17:08:03 ----A---- C:\WINDOWS\system32\SKYNETkkylvvmq.dll
2009-08-13 00:34:03 ----D---- C:\Program Files\trend micro
2009-08-13 00:33:52 ----D---- C:\rsit
2009-08-13 00:29:47 ----D---- C:\WINDOWS\ERDNT
2009-08-13 00:29:26 ----D---- C:\Program Files\ERUNT
2009-08-12 12:03:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 12:03:04 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 12:02:59 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 12:02:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 12:02:44 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 12:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 12:01:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 12:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 12:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 21:53:46 ----D---- C:\918a33bb93905ff2b83f
2009-08-11 20:40:01 ----D---- C:\Documents and Settings\devry\Application Data\Malwarebytes
2009-08-11 20:39:49 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-11 20:39:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-11 19:08:03 ----D---- C:\adab61f7192e14ffdf19a15749c0
2009-08-10 20:38:45 ----D---- C:\Program Files\Windows Defender
2009-08-10 08:21:41 ----D---- C:\Program Files\ESET
2009-08-09 12:35:45 ----D---- C:\WINDOWS\McAfee.com
2009-08-09 12:07:21 ----D---- C:\32241fa13aa8c1c6fb1f98
2009-08-09 12:03:40 ----HD---- C:\Config.Msi
2009-08-08 11:07:21 ----D---- C:\Program Files\Windows Live Safety Center
2009-07-28 11:06:16 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-07-25 22:55:10 ----D---- C:\Documents and Settings\devry\Application Data\Mozilla
2009-07-17 21:03:13 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-07-17 21:03:11 ----D---- C:\Program Files\Yahoo!
2009-07-15 12:03:13 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 12:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 12:00:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 18:45:20 ----D---- C:\WINDOWS\Minidump
2009-07-11 11:33:44 ----D---- C:\Program Files\Mozilla Firefox
2009-07-11 11:30:34 ----D---- C:\Program Files\Paint.NET
2009-07-06 23:10:58 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2009-07-06 22:59:39 ----HDC---- C:\WINDOWS\$NtUninstallKB970483$
2009-07-06 22:58:24 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-06 22:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-06 22:54:28 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-06 22:53:47 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-05-20 18:32:30 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-20 18:32:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-20 18:32:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-20 18:32:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-20 18:31:53 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-20 18:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-20 18:14:25 ----N---- C:\WINDOWS\system32\xpsp4res.dll
======List of files/folders modified in the last 3 months======
2009-08-13 19:06:20 ----D---- C:\WINDOWS\Temp
2009-08-13 19:04:27 ----D---- C:\WINDOWS\system32\inetsrv
2009-08-13 19:02:53 ----SD---- C:\WINDOWS\Tasks
2009-08-13 19:01:22 ----D---- C:\WINDOWS\Prefetch
2009-08-13 19:01:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-13 18:59:51 ----SHD---- C:\WINDOWS\CSC
2009-08-13 18:59:49 ----D---- C:\WINDOWS
2009-08-13 17:08:48 ----D---- C:\WINDOWS\system32\drivers
2009-08-13 17:08:38 ----D---- C:\WINDOWS\system32
2009-08-13 00:34:03 ----RD---- C:\Program Files
2009-08-12 12:10:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-12 12:03:16 ----HD---- C:\WINDOWS\inf
2009-08-12 12:03:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-12 12:03:08 ----A---- C:\WINDOWS\imsins.BAK
2009-08-12 12:02:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 12:02:42 ----SHD---- C:\WINDOWS\Installer
2009-08-12 12:02:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-08-12 12:01:56 ----D---- C:\Program Files\Outlook Express
2009-08-11 20:20:58 ----D---- C:\QUARANTINE
2009-08-11 07:59:37 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-10 20:38:45 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-10 20:31:52 ----D---- C:\WINDOWS\system32\config
2009-08-10 20:28:35 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-10 20:05:50 ----SD---- C:\Documents and Settings\devry\Application Data\Microsoft
2009-08-09 18:19:00 ----SHD---- C:\System Volume Information
2009-08-09 18:19:00 ----D---- C:\WINDOWS\system32\Restore
2009-08-05 20:19:13 ----D---- C:\WINDOWS\system32\wbem
2009-08-05 20:19:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-05 14:31:47 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-05 04:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-29 17:49:16 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-29 12:00:48 ----D---- C:\WINDOWS\system32\en-US
2009-07-29 12:00:48 ----D---- C:\Program Files\Internet Explorer
2009-07-29 12:00:22 ----D---- C:\WINDOWS\WinSxS
2009-07-19 08:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 08:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 21:03:10 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-07-17 14:01:06 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-07-11 11:31:10 ----RSD---- C:\WINDOWS\assembly
2009-07-10 17:33:09 ----SHD---- C:\RECYCLER
2009-07-07 07:02:34 ----D---- C:\Documents and Settings
2009-07-06 23:16:26 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-06 22:54:05 ----D---- C:\WINDOWS\ie7updates
2009-06-29 11:12:20 ----A---- C:\WINDOWS\system32\wininet.dll
2009-06-29 11:12:19 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-06-29 11:12:19 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\url.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\occache.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\mstime.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\msrating.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-06-29 11:12:14 ----N---- C:\WINDOWS\system32\corpol.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\icardie.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\advpack.dll
2009-06-29 06:07:12 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-06-29 06:07:11 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 03:33:39 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-06-12 07:31:40 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-06-12 07:31:39 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-10 09:19:38 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-10 09:13:29 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 01:14:49 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-06-03 14:09:37 ----A---- C:\WINDOWS\system32\quartz.dll
2009-05-26 08:47:03 ----A---- C:\WINDOWS\system32\ieframe.dll.mui
2009-05-20 19:18:38 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-05-20 19:03:38 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-20 18:48:01 ----D---- C:\WINDOWS\AppPatch
2009-05-20 18:41:04 ----A---- C:\WINDOWS\vbaddin.ini
2009-05-20 18:37:28 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 18:36:44 ----D---- C:\Program Files\Microsoft Works
2009-05-20 18:34:54 ----D---- C:\Program Files\Common Files\System
2009-05-20 18:34:54 ----A---- C:\WINDOWS\win.ini
2009-05-20 18:20:54 ----D---- C:\Program Files\Windows Desktop Search
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 eabfiltr;eabfiltr; C:\WINDOWS\system32\DRIVERS\eabfiltr.sys [2006-11-30 8192]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 PersonalSecureDrive;PersonalSecureDrive; C:\WINDOWS\System32\drivers\psd.sys [2007-01-23 39080]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-10-26 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-10-26 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-10-26 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-10-26 104536]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-10-26 26296]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-10-26 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-10-26 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-10-26 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R3 Accelerometer;Accelerometer; C:\WINDOWS\system32\DRIVERS\Accelerometer.sys [2006-10-17 22016]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-10-01 281600]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2007-07-13 94976]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2008-11-21 1204128]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-02-02 1975296]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys [2007-02-22 140680]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-10-23 1391104]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-02-14 530861]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-02-14 30459]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-02-14 868298]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-02-14 67960]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HBtnKey;HBtnKey; C:\WINDOWS\system32\DRIVERS\cpqbttn.sys [2008-04-28 9344]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IFXTPM;IFXTPM; C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 36608]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-03-28 224672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 b57w2k;Broadcom NetLink ™ Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-02-27 160256]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-02-14 149123]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\WINDOWS\system32\agrsmsvc.exe [2006-10-05 9216]
R2 ASBroker;Logon Session Broker; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 ASChannel;Local Communication Channel; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-02-02 446464]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-02-06 266295]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-02 135168]
R2 IFXSpMgtSrv;Security Platform Management Service; c:\WINDOWS\system32\ifxspmgt.exe [2007-02-15 677408]
R2 IFXTCS;Trusted Platform Core Service; c:\WINDOWS\system32\ifxtcs.exe [2007-01-23 849440]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 MSFtpsvc;FTP Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 PersonalSecureDriveService;Personal Secure Drive service; c:\WINDOWS\system32\IfxPsdSv.exe [2007-02-15 140832]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-06 887544]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-11-01 73728]
S3 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Run by devry at 2009-08-13 19:08:52
Microsoft Windows XP Professional Service Pack 3
System drive C: has 136 GB (89%) free of 153 GB
Total RAM: 895 MB (40% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:00 PM, on 8/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\agrsmsvc.exe
c:\WINDOWS\system32\ifxspmgt.exe
c:\WINDOWS\system32\ifxtcs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\devry\Desktop\RSIT.exe
C:\Program Files\trend micro\devry.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] c:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1178730505484
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...705/mcfscan.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - c:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10011 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011UA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}]
Credential Manager for HP ProtectTools - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll [2006-11-21 71192]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1282048]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1040384]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-01-20 159744]
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-09-05 184320]
"PTHOSTTR"=c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE [2007-01-09 145184]
"IFXSPMGT"=c:\WINDOWS\system32\ifxspmgt.exe [2007-02-15 677408]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2006-07-13 729088]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-10-30 1116920]
"CognizanceTS"=c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll [2003-12-22 17920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-12-11 151552]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-01-05 872448]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
C:\Documents and Settings\devry\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="APSHook.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-02-02 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OneCard]
c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [2007-02-07 74240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ASWLNPkg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\OneCareMP]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 3 months======
2009-08-13 17:08:38 ----A---- C:\WINDOWS\system32\logon.exe
2009-08-13 17:08:32 ----A---- C:\WINDOWS\system32\SKYNETeotvtelt.dll
2009-08-13 17:08:03 ----A---- C:\WINDOWS\system32\SKYNETkkylvvmq.dll
2009-08-13 00:34:03 ----D---- C:\Program Files\trend micro
2009-08-13 00:33:52 ----D---- C:\rsit
2009-08-13 00:29:47 ----D---- C:\WINDOWS\ERDNT
2009-08-13 00:29:26 ----D---- C:\Program Files\ERUNT
2009-08-12 12:03:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 12:03:04 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 12:02:59 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 12:02:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 12:02:44 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 12:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 12:01:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 12:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 12:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 21:53:46 ----D---- C:\918a33bb93905ff2b83f
2009-08-11 20:40:01 ----D---- C:\Documents and Settings\devry\Application Data\Malwarebytes
2009-08-11 20:39:49 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-11 20:39:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-11 19:08:03 ----D---- C:\adab61f7192e14ffdf19a15749c0
2009-08-10 20:38:45 ----D---- C:\Program Files\Windows Defender
2009-08-10 08:21:41 ----D---- C:\Program Files\ESET
2009-08-09 12:35:45 ----D---- C:\WINDOWS\McAfee.com
2009-08-09 12:07:21 ----D---- C:\32241fa13aa8c1c6fb1f98
2009-08-09 12:03:40 ----HD---- C:\Config.Msi
2009-08-08 11:07:21 ----D---- C:\Program Files\Windows Live Safety Center
2009-07-28 11:06:16 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-07-25 22:55:10 ----D---- C:\Documents and Settings\devry\Application Data\Mozilla
2009-07-17 21:03:13 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-07-17 21:03:11 ----D---- C:\Program Files\Yahoo!
2009-07-15 12:03:13 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 12:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 12:00:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 18:45:20 ----D---- C:\WINDOWS\Minidump
2009-07-11 11:33:44 ----D---- C:\Program Files\Mozilla Firefox
2009-07-11 11:30:34 ----D---- C:\Program Files\Paint.NET
2009-07-06 23:10:58 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2009-07-06 22:59:39 ----HDC---- C:\WINDOWS\$NtUninstallKB970483$
2009-07-06 22:58:24 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-06 22:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-06 22:54:28 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-06 22:53:47 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-05-20 18:32:30 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-20 18:32:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-20 18:32:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-20 18:32:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-20 18:31:53 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-20 18:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-20 18:14:25 ----N---- C:\WINDOWS\system32\xpsp4res.dll
======List of files/folders modified in the last 3 months======
2009-08-13 19:06:20 ----D---- C:\WINDOWS\Temp
2009-08-13 19:04:27 ----D---- C:\WINDOWS\system32\inetsrv
2009-08-13 19:02:53 ----SD---- C:\WINDOWS\Tasks
2009-08-13 19:01:22 ----D---- C:\WINDOWS\Prefetch
2009-08-13 19:01:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-13 18:59:51 ----SHD---- C:\WINDOWS\CSC
2009-08-13 18:59:49 ----D---- C:\WINDOWS
2009-08-13 17:08:48 ----D---- C:\WINDOWS\system32\drivers
2009-08-13 17:08:38 ----D---- C:\WINDOWS\system32
2009-08-13 00:34:03 ----RD---- C:\Program Files
2009-08-12 12:10:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-12 12:03:16 ----HD---- C:\WINDOWS\inf
2009-08-12 12:03:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-12 12:03:08 ----A---- C:\WINDOWS\imsins.BAK
2009-08-12 12:02:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 12:02:42 ----SHD---- C:\WINDOWS\Installer
2009-08-12 12:02:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-08-12 12:01:56 ----D---- C:\Program Files\Outlook Express
2009-08-11 20:20:58 ----D---- C:\QUARANTINE
2009-08-11 07:59:37 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-10 20:38:45 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-10 20:31:52 ----D---- C:\WINDOWS\system32\config
2009-08-10 20:28:35 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-10 20:05:50 ----SD---- C:\Documents and Settings\devry\Application Data\Microsoft
2009-08-09 18:19:00 ----SHD---- C:\System Volume Information
2009-08-09 18:19:00 ----D---- C:\WINDOWS\system32\Restore
2009-08-05 20:19:13 ----D---- C:\WINDOWS\system32\wbem
2009-08-05 20:19:13 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-05 14:31:47 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-05 04:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-29 17:49:16 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-29 12:00:48 ----D---- C:\WINDOWS\system32\en-US
2009-07-29 12:00:48 ----D---- C:\Program Files\Internet Explorer
2009-07-29 12:00:22 ----D---- C:\WINDOWS\WinSxS
2009-07-19 08:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 08:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 21:03:10 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-07-17 14:01:06 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-07-11 11:31:10 ----RSD---- C:\WINDOWS\assembly
2009-07-10 17:33:09 ----SHD---- C:\RECYCLER
2009-07-07 07:02:34 ----D---- C:\Documents and Settings
2009-07-06 23:16:26 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-06 22:54:05 ----D---- C:\WINDOWS\ie7updates
2009-06-29 11:12:20 ----A---- C:\WINDOWS\system32\wininet.dll
2009-06-29 11:12:19 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-06-29 11:12:19 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\url.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\occache.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\mstime.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\msrating.dll
2009-06-29 11:12:18 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-06-29 11:12:16 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-06-29 11:12:14 ----N---- C:\WINDOWS\system32\corpol.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\icardie.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-06-29 11:12:14 ----A---- C:\WINDOWS\system32\advpack.dll
2009-06-29 06:07:12 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-06-29 06:07:11 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 03:33:39 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-06-16 09:36:30 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-06-12 07:31:40 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-06-12 07:31:39 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-10 09:19:38 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-10 09:13:29 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 01:14:49 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-06-03 14:09:37 ----A---- C:\WINDOWS\system32\quartz.dll
2009-05-26 08:47:03 ----A---- C:\WINDOWS\system32\ieframe.dll.mui
2009-05-20 19:18:38 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-05-20 19:03:38 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-20 18:48:01 ----D---- C:\WINDOWS\AppPatch
2009-05-20 18:41:04 ----A---- C:\WINDOWS\vbaddin.ini
2009-05-20 18:37:28 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 18:36:44 ----D---- C:\Program Files\Microsoft Works
2009-05-20 18:34:54 ----D---- C:\Program Files\Common Files\System
2009-05-20 18:34:54 ----A---- C:\WINDOWS\win.ini
2009-05-20 18:20:54 ----D---- C:\Program Files\Windows Desktop Search
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 eabfiltr;eabfiltr; C:\WINDOWS\system32\DRIVERS\eabfiltr.sys [2006-11-30 8192]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 PersonalSecureDrive;PersonalSecureDrive; C:\WINDOWS\System32\drivers\psd.sys [2007-01-23 39080]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-10-26 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-10-26 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-10-26 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-10-26 104536]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-10-26 26296]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-10-26 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-10-26 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-10-26 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R3 Accelerometer;Accelerometer; C:\WINDOWS\system32\DRIVERS\Accelerometer.sys [2006-10-17 22016]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-10-01 281600]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2007-07-13 94976]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2008-11-21 1204128]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-02-02 1975296]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys [2007-02-22 140680]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-10-23 1391104]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-02-14 530861]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-02-14 30459]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-02-14 868298]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-02-14 67960]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HBtnKey;HBtnKey; C:\WINDOWS\system32\DRIVERS\cpqbttn.sys [2008-04-28 9344]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IFXTPM;IFXTPM; C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-01-23 36608]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-03-28 224672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 b57w2k;Broadcom NetLink ™ Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-02-27 160256]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-02-14 149123]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\WINDOWS\system32\agrsmsvc.exe [2006-10-05 9216]
R2 ASBroker;Logon Session Broker; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 ASChannel;Local Communication Channel; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-02-02 446464]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-02-06 266295]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-02 135168]
R2 IFXSpMgtSrv;Security Platform Management Service; c:\WINDOWS\system32\ifxspmgt.exe [2007-02-15 677408]
R2 IFXTCS;Trusted Platform Core Service; c:\WINDOWS\system32\ifxtcs.exe [2007-01-23 849440]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 MSFtpsvc;FTP Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 PersonalSecureDriveService;Personal Secure Drive service; c:\WINDOWS\system32\IfxPsdSv.exe [2007-02-15 140832]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-06 887544]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-11-01 73728]
S3 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
#6
Posted 13 August 2009 - 06:16 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
GMER 1.0.15.15020 [gamer.exe] - http://www.gmer.net
Rootkit scan 2009-08-13 19:15:46
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBAD0335B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBAD032DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBAD03385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBAD032EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBAD0331B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBAD033AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAD032C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBAD0336F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBAD03305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBAD03331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBAD03347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBAD033C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBAD03399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP BAD0339D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP BAD0335F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP BAD033B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP BAD033C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP BAD03373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP BAD03389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP BAD0334B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP BAD03335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP BAD03309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP BAD032DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP BAD032F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP BAD0331F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP BAD032CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC006A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F7F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F90
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC004D
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0032
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F3F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0087
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00D8
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00BD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00E9
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FAB
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC00A2
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0062
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE001B
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0051
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FAF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0036
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD003A
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD001D
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00CB0014
.text C:\WINDOWS\Explorer.EXE[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FC
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700D7
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050047
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F44
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0067
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F0B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EDC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F83
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FB4
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0049
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB002E
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FD9
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003A0000
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003A0F83
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003A006E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003A0F94
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003A0051
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003A0FC0
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003A0F46
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003A0F57
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003A009F
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003A0F10
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003A0EEB
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003A0FAF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003A0F68
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003A0036
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003A001B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003A0F2B
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390FA8
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390F57
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390FB9
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00390FCA
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390F72
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00390FE5
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0039001E
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390F97
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380051
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380040
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0038000A
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380025
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FC6
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 3 Bytes JMP 0037000A
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0257004A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02570039
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570F6B
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02570F7C
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570FA8
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02570071
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F29
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570EF3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02570F04
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0257009D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02570F8D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0257000A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02570F3A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02570FD4
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02570082
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02560036
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0256001B
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02560FAF
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [76, 8A] {JBE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550F9C
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550FAD
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550016
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02550027
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550FD2
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F1F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80EFD
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F0E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F90
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FC6
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FE3
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FAB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0380000A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03800F97
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03800096
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03800FB2
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0380006F
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03800FD4
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03800F75
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03800F86
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03800F35
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03800F5A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038000E9
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03800FC3
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0380001B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038000A7
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03800036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03800FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038000D8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037F001B
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037F0F72
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037F000A
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037F0FCA
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037F0F83
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037F0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037F0FA8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 8B]
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037F0FB9
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 037E0F7A
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 037E0F95
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 037E0FC1
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 037E0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 037E0FA6
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 037E0FDE
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 037D0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 037C0000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 037C0011
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 037C002C
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 037C003D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F66
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F77
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0051
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0F29
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F3A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0EFD
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A008C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00B1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F4B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F0E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0069002C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 0069006C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 00690FDB
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690011
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690FA5
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 00690000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0069003D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690FB6
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680FA8
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680029
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680018
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100A9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1008E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1007D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F99
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F52
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10106
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10051
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B100C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FDB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100EB
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00F86
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00043
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00FA1
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF003B
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FA6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0FC1
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0016
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FD2
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B006B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B005A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B002C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B0F3E
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B0F5B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B00B2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0097
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024B0EFE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024B0F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024B0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024B0086
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024B0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024B0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024B0F23
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A001B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024A0047
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A0036
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02490FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490029
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02490FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0249003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490018
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 02470FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 02470FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 02470FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 02470FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F30
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FDB
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650033
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[2940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A90FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A90098
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A9007D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A90FA3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A90062
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A90036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A90F6D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A900B5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A90F26
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A90F37
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A90F0B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A90051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A90000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A90F7E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A90FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A9001B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A90F48
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A70FBE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A70049
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A7001D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A70FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A7002E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A70000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A80FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A8004A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A80FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A80000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A8002F
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A80FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A80F83
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 89]
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A80FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A60FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E50F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E50F70
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E50F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E50F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E50040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E50F27
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E5006F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E50094
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E50EFB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E50EE0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E50FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E50FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E50F44
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E5001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E50FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E50F16
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01E40FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01E4004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01E40FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01E40FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01E40F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01E40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01E40025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01E40014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E30FB5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E30FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E30FD7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E30036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E30011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01E20FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenA 3D94C879 5 Bytes JMP 01220000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01220FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01220025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020067
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F01
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010200B5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020078
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0101001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0101000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01000FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!system 77C293C7 5 Bytes JMP 01000038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0100001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01000000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01000FBE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01000FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Services - GMER 1.0.15 ----
Service system32\drivers\SKYNETrdxgpaye.sys (*** hidden *** ) [SYSTEM] SKYNETjuvgakkl <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@imagepath \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete@C:\DOCUME~1\devry\LOCALS~1\Temp\ytasfwlnosvrcicu.tmp
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETkkylvvmq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETrpoddnsv.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETeotvtelt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1409082233-1757981266-839522115-1003@RefCount 28
Rootkit scan 2009-08-13 19:15:46
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBAD0335B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBAD032DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBAD03385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBAD032EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBAD0331B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBAD033AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAD032C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBAD0336F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBAD03305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBAD03331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBAD03347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBAD033C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBAD03399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP BAD0339D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP BAD0335F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP BAD033B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP BAD033C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP BAD03373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP BAD03389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP BAD0334B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP BAD03335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP BAD03309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP BAD032DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP BAD032F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP BAD0331F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP BAD032CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC006A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F7F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F90
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC004D
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0032
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F3F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0087
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00D8
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00BD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00E9
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FAB
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC00A2
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0062
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE001B
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0051
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FAF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0036
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD003A
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD001D
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00CB0014
.text C:\WINDOWS\Explorer.EXE[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FC
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700D7
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050047
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F44
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0067
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F0B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EDC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F83
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FB4
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0049
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB002E
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FD9
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003A0000
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003A0F83
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003A006E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003A0F94
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003A0051
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003A0FC0
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003A0F46
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003A0F57
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003A009F
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003A0F10
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003A0EEB
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003A0FAF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003A0F68
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003A0036
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003A001B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003A0F2B
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390FA8
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390F57
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390FB9
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00390FCA
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390F72
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00390FE5
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0039001E
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390F97
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380051
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380040
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0038000A
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380025
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FC6
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 3 Bytes JMP 0037000A
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0257004A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02570039
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570F6B
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02570F7C
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570FA8
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02570071
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F29
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570EF3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02570F04
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0257009D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02570F8D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0257000A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02570F3A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02570FD4
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02570082
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02560036
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0256001B
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02560FAF
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [76, 8A] {JBE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550F9C
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550FAD
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550016
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02550027
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550FD2
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F1F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80EFD
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F0E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F90
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FC6
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FE3
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FAB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0380000A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03800F97
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03800096
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03800FB2
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0380006F
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03800FD4
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03800F75
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03800F86
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03800F35
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03800F5A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038000E9
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03800FC3
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0380001B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038000A7
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03800036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03800FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038000D8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037F001B
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037F0F72
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037F000A
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037F0FCA
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037F0F83
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037F0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037F0FA8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 8B]
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037F0FB9
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 037E0F7A
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 037E0F95
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 037E0FC1
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 037E0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 037E0FA6
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 037E0FDE
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 037D0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 037C0000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 037C0011
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 037C002C
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 037C003D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F66
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F77
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0051
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0F29
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F3A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0EFD
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A008C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00B1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F4B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F0E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0069002C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 0069006C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 00690FDB
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690011
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690FA5
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 00690000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0069003D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690FB6
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680FA8
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680029
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680018
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100A9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1008E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1007D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F99
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F52
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10106
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10051
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B100C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FDB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100EB
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00F86
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00043
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00FA1
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF003B
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FA6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0FC1
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0016
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FD2
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B006B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B005A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B002C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B0F3E
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B0F5B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B00B2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0097
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024B0EFE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024B0F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024B0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024B0086
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024B0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024B0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024B0F23
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A001B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024A0047
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A0036
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02490FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490029
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02490FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0249003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490018
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 02470FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 02470FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 02470FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 02470FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F30
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FDB
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650033
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[2940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A90FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A90098
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A9007D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A90FA3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A90062
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A90036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A90F6D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A900B5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A90F26
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A90F37
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A90F0B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A90051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A90000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A90F7E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A90FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A9001B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A90F48
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A70FBE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A70049
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A7001D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A70FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A7002E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A70000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A80FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A8004A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A80FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A80000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A8002F
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A80FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A80F83
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 89]
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A80FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A60FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E50F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E50F70
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E50F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E50F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E50040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E50F27
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E5006F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E50094
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E50EFB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E50EE0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E50FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E50FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E50F44
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E5001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E50FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E50F16
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01E40FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01E4004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01E40FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01E40FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01E40F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01E40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01E40025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01E40014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E30FB5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E30FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E30FD7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E30036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E30011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01E20FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenA 3D94C879 5 Bytes JMP 01220000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01220FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01220025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020067
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F01
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010200B5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020078
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0101001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0101000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01000FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!system 77C293C7 5 Bytes JMP 01000038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0100001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01000000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01000FBE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01000FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Services - GMER 1.0.15 ----
Service system32\drivers\SKYNETrdxgpaye.sys (*** hidden *** ) [SYSTEM] SKYNETjuvgakkl <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@imagepath \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete@C:\DOCUME~1\devry\LOCALS~1\Temp\ytasfwlnosvrcicu.tmp
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETkkylvvmq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETrpoddnsv.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETeotvtelt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1409082233-1757981266-839522115-1003@RefCount 28
#7
Posted 13 August 2009 - 06:28 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
I have done everything, its showing up as skynet on the registrythere are 2 different reg keys idk what to do. from here. help
#8
Posted 13 August 2009 - 07:12 PM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
sorry this is the entire gmer log:
GMER 1.0.15.15020 [gamer.exe] - http://www.gmer.net
Rootkit scan 2009-08-13 20:11:01
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBAD0335B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBAD032DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBAD03385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBAD032EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBAD0331B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBAD033AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAD032C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBAD0336F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBAD03305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBAD03331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBAD03347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBAD033C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBAD03399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP BAD0339D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP BAD0335F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP BAD033B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP BAD033C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP BAD03373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP BAD03389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP BAD0334B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP BAD03335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP BAD03309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP BAD032DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP BAD032F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP BAD0331F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP BAD032CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC006A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F7F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F90
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC004D
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0032
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F3F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0087
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00D8
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00BD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00E9
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FAB
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC00A2
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0062
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE001B
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0051
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FAF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0036
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD003A
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD001D
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00CB0014
.text C:\WINDOWS\Explorer.EXE[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FC
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700D7
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050047
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F44
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0067
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F0B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EDC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F83
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FB4
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0049
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB002E
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FD9
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003A0000
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003A0F83
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003A006E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003A0F94
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003A0051
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003A0FC0
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003A0F46
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003A0F57
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003A009F
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003A0F10
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003A0EEB
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003A0FAF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003A0F68
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003A0036
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003A001B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003A0F2B
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390FA8
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390F57
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390FB9
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00390FCA
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390F72
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00390FE5
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0039001E
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390F97
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380051
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380040
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0038000A
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380025
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FC6
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 3 Bytes JMP 0037000A
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0257004A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02570039
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570F6B
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02570F7C
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570FA8
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02570071
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F29
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570EF3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02570F04
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0257009D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02570F8D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0257000A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02570F3A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02570FD4
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02570082
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02560036
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0256001B
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02560FAF
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [76, 8A] {JBE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550F9C
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550FAD
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550016
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02550027
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550FD2
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F1F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80EFD
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F0E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F90
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FC6
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FE3
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FAB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0380000A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03800F97
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03800096
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03800FB2
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0380006F
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03800FD4
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03800F75
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03800F86
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03800F35
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03800F5A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038000E9
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03800FC3
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0380001B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038000A7
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03800036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03800FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038000D8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037F001B
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037F0F72
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037F000A
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037F0FCA
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037F0F83
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037F0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037F0FA8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 8B]
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037F0FB9
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 037E0F7A
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 037E0F95
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 037E0FC1
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 037E0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 037E0FA6
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 037E0FDE
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 037D0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 037C0000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 037C0011
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 037C002C
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 037C003D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F66
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F77
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0051
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0F29
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F3A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0EFD
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A008C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00B1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F4B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F0E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0069002C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 0069006C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 00690FDB
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690011
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690FA5
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 00690000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0069003D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690FB6
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680FA8
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680029
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680018
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100A9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1008E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1007D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F99
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F52
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10106
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10051
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B100C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FDB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100EB
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00F86
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00043
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00FA1
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF003B
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FA6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0FC1
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0016
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FD2
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B006B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B005A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B002C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B0F3E
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B0F5B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B00B2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0097
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024B0EFE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024B0F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024B0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024B0086
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024B0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024B0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024B0F23
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A001B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024A0047
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A0036
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02490FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490029
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02490FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0249003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490018
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 02470FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 02470FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 02470FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 02470FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F30
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FDB
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650033
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[2940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A90FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A90098
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A9007D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A90FA3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A90062
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A90036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A90F6D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A900B5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A90F26
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A90F37
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A90F0B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A90051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A90000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A90F7E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A90FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A9001B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A90F48
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A70FBE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A70049
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A7001D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A70FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A7002E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A70000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A80FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A8004A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A80FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A80000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A8002F
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A80FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A80F83
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 89]
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A80FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A60FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E50F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E50F70
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E50F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E50F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E50040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E50F27
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E5006F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E50094
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E50EFB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E50EE0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E50FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E50FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E50F44
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E5001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E50FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E50F16
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01E40FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01E4004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01E40FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01E40FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01E40F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01E40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01E40025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01E40014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E30FB5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E30FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E30FD7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E30036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E30011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01E20FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenA 3D94C879 5 Bytes JMP 01220000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01220FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01220025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020067
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F01
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010200B5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020078
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0101001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0101000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01000FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!system 77C293C7 5 Bytes JMP 01000038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0100001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01000000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01000FBE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01000FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@imagepath \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete@C:\DOCUME~1\devry\LOCALS~1\Temp\ytasfwlnosvrcicu.tmp
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETkkylvvmq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETrpoddnsv.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETeotvtelt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1409082233-1757981266-839522115-1003@RefCount 28
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HFGELY2I\ftp[1].exe (size mismatch) 7914/0 bytes executable
File C:\WINDOWS\Temp\rdl65.tmp.exe (size mismatch) 7914/0 bytes executable
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15020 [gamer.exe] - http://www.gmer.net
Rootkit scan 2009-08-13 20:11:01
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBAD0335B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBAD032DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBAD03385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBAD032EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBAD0331B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBAD033AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xBAD032C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBAD0336F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBAD03305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBAD03331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBAD03347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBAD033C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBAD03399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP BAD0339D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP BAD0335F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP BAD033B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP BAD033C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP BAD03373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP BAD03389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP BAD0334B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP BAD03335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP BAD03309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP BAD032DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP BAD032F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP BAD0331F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP BAD032CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC006A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F7F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F90
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC004D
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0032
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F3F
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0087
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00D8
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC00BD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DC00E9
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DC0FAB
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DC0F5A
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DC0FCD
.text C:\WINDOWS\Explorer.EXE[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DC00A2
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0062
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE001B
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0051
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FAF
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\Explorer.EXE[328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0036
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD003A
.text C:\WINDOWS\Explorer.EXE[328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD001D
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\Explorer.EXE[328] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00CB0014
.text C:\WINDOWS\Explorer.EXE[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F7E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FC
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700D7
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050047
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F44
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0F72
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0078
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0067
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F0B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0EDC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0F83
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0FB4
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0049
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB002E
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB0FD9
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB001D
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003A0000
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003A0F83
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003A006E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003A0F94
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003A0051
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003A0FC0
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003A0F46
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003A0F57
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003A009F
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003A0F10
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003A0EEB
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003A0FAF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003A0F68
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003A0036
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003A001B
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003A0F2B
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00390FA8
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00390F57
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00390FB9
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00390FCA
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00390F72
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00390FE5
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0039001E
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00390F97
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380051
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380040
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0038000A
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380025
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FC6
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 3 Bytes JMP 0037000A
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570FEF
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0257004A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02570039
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570F6B
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02570F7C
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570FA8
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02570071
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F29
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570EF3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02570F04
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0257009D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02570F8D
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0257000A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02570F3A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02570FC3
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02570FD4
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02570082
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02560036
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02560F8A
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0256001B
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02560FAF
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02560FC0
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [76, 8A] {JBE 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02560047
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550F9C
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550FAD
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550016
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02550027
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550FD2
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F1F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80EFD
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F0E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FDB
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50F90
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FC6
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FE3
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FAB
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0380000A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03800F97
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03800096
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03800FB2
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0380006F
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03800FD4
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03800F75
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03800F86
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03800F35
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03800F5A
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038000E9
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03800FC3
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0380001B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038000A7
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03800036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03800FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038000D8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037F001B
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037F0F72
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037F000A
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037F0FCA
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037F0F83
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037F0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037F0FA8
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 8B]
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037F0FB9
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 037E0F7A
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 037E0F95
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 037E0FC1
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 037E0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 037E0FA6
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 037E0FDE
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 037D0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 037C0000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 037C0011
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 037C002C
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 037C003D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F66
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0F77
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0051
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0025
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A0F29
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A0F3A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A0EFD
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A008C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A00B1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A0FCA
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A0F4B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FB9
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F0E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0069002C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 0069006C
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 00690FDB
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 00690011
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 00690FA5
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 00690000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0069003D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00690FB6
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00680FA8
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00680FDE
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00680FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00680029
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00680018
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100A9
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1008E
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1007D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F88
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F99
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F52
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10106
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10051
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B100C4
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FDB
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100EB
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00F86
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00043
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00FA1
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88]
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FBC
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF003B
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FA6
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0FC1
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0016
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FD2
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B006B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B005A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B003D
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B002C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B0F3E
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B0F5B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B00B2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0097
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024B0EFE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024B0F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024B0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024B0086
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024B0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024B0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024B0F23
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A001B
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024A0047
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A0036
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02490FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490029
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02490FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0249003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490018
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 02470FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 02470FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 02470FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 02470FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[2732] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02480FEF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F30
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FDB
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[2940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FDB
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[2940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FCA
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650033
.text C:\WINDOWS\system32\svchost.exe[2940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[2940] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[2940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A90FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A90098
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A9007D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A90FA3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A90062
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A90036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A90F6D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A900B5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A90F26
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A90F37
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A90F0B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A90051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A90000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A90F7E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A90FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A9001B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A90F48
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A70FBE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A70049
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A7001D
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A70FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A7002E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A70000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A80FB9
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A8004A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A80FCA
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A80000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A8002F
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A80FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01A80F83
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 89]
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A80FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A60FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E50F55
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E50F70
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E50F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E50F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E50040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E50F27
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E5006F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E50094
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E50EFB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E50EE0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E50FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E50FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E50F44
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E5001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E50FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E50F16
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01E40FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01E4004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01E40FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01E40FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01E40F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01E40FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01E40025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01E40014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01E30FB5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!system 77C293C7 5 Bytes JMP 01E30FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01E30FD7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01E30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01E30036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01E30011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01E20FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenA 3D94C879 5 Bytes JMP 01220000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01220FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01220FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[3180] WinInet.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01220025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020067
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01020F41
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0102009A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F01
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010200B5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01020040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0102000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01020078
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01020FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01020025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01020F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0101001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01010065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01010FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01010FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01010FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0101000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01010FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [21, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01010040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01000FAD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!system 77C293C7 5 Bytes JMP 01000038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0100001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01000000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01000FBE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01000FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni@imagepath \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\delete@C:\DOCUME~1\devry\LOCALS~1\Temp\ytasfwlnosvrcicu.tmp
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\drivers\SKYNETnoecwjds.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETkkylvvmq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETrpoddnsv.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETirkcjsni\[email protected] \systemroot\system32\SKYNETeotvtelt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl@imagepath \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\drivers\SKYNETrdxgpaye.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpyotppph.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETpquejmoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETdareoikt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjuvgakkl\[email protected] \systemroot\system32\SKYNETrqlasrnh.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1409082233-1757981266-839522115-1003@RefCount 28
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HFGELY2I\ftp[1].exe (size mismatch) 7914/0 bytes executable
File C:\WINDOWS\Temp\rdl65.tmp.exe (size mismatch) 7914/0 bytes executable
---- EOF - GMER 1.0.15 ----
#9
Posted 13 August 2009 - 10:47 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Yup.. The SKYNET has invaded your computer.. Lets "Terminate" it 
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
#10
Posted 14 August 2009 - 03:25 AM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
ComboFix 09-08-10.06 - devry 08/14/2009 4:17.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.345 [GMT -5:00]
Running from: c:\documents and settings\devry\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.
2009-08-13 22:08 . 2009-08-13 22:08 45344 ----a-w- c:\windows\system32\drivers\pnj7fb0.sys
2009-08-13 05:34 . 2009-08-14 00:08 -------- d-----w- c:\program files\trend micro
2009-08-13 05:33 . 2009-08-13 05:34 -------- d-----w- C:\rsit
2009-08-13 05:29 . 2009-08-13 05:29 -------- d-----w- c:\program files\ERUNT
2009-08-12 07:31 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:53 . 2009-08-12 17:10 -------- d-----w- C:\918a33bb93905ff2b83f
2009-08-12 01:40 . 2009-08-12 01:40 -------- d-----w- c:\documents and settings\devry\Application Data\Malwarebytes
2009-08-12 01:39 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 01:39 . 2009-08-12 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 01:39 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 01:39 . 2009-08-12 01:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 00:08 . 2009-08-12 02:24 -------- d-----w- C:\adab61f7192e14ffdf19a15749c0
2009-08-11 01:38 . 2009-08-11 01:38 -------- d-----w- c:\program files\Windows Defender
2009-08-09 17:35 . 2009-08-09 17:35 -------- d-----w- c:\windows\McAfee.com
2009-08-09 17:17 . 2009-08-09 17:17 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-09 17:07 . 2009-08-09 17:07 -------- d-----w- C:\32241fa13aa8c1c6fb1f98
2009-08-08 16:07 . 2009-08-11 12:05 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 13:00 . 2009-07-31 13:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\WMTools Downloaded Files
2009-07-28 16:06 . 2009-07-28 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-26 17:41 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-07-26 17:41 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-26 15:42 . 2009-07-26 15:42 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2009-07-26 03:56 . 2009-08-05 17:43 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Temp
2009-07-26 03:56 . 2009-08-10 02:01 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Google
2009-07-26 03:55 . 2009-07-26 03:55 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Mozilla
2009-07-18 02:08 . 2009-08-13 03:16 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Paint.NET
2009-07-18 02:05 . 2009-07-18 02:05 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Yahoo
2009-07-18 02:03 . 2009-07-18 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-18 02:03 . 2009-05-27 00:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-07-18 02:03 . 2009-07-18 02:03 -------- d-----w- c:\program files\Yahoo!
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 17:02 . 2007-05-09 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 19:31 . 2008-08-22 14:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 16:34 . 2009-07-11 16:34 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 16:30 . 2009-07-11 16:30 -------- d-----w- c:\program files\Paint.NET
2009-07-11 16:30 . 2007-05-09 15:05 84608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 03:02 . 2009-07-08 03:02 84608 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 11:46 . 2009-07-07 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-07 01:34 . 2007-09-01 14:36 84608 ----a-w- c:\documents and settings\devry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-04 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 06:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 06:56 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 06:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 06:56 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 06:56 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 06:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 06:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 06:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 04:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 06:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 06:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2007-05-09 14:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 06:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 06:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 06:56 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-14_08.59.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-07 16:35 . 2009-08-14 09:13 229774 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-08-14 09:12 . 2009-08-14 09:12 172032 c:\windows\ERDNT\AutoBackup\8-14-2009\Users\00000002\UsrClass.dat
+ 2009-08-14 09:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\8-14-2009\ERDNT.EXE
+ 2009-08-14 09:12 . 2009-08-14 09:12 3457024 c:\windows\ERDNT\AutoBackup\8-14-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-09-06 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-10-30 1116920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\devry\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-9 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 06:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 8:07 PM 39080]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:56 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:56 AM 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 7:13 PM 36608]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {09258F12-48E7-B18E-C414-1F48C215685F} /qb
.
Contents of the 'Scheduled Tasks' folder
2009-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 03:04]
2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 03:04]
2009-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\devry\Application Data\Mozilla\Firefox\Profiles\8w948bkm.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 04:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\APSHook.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\APSHook.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-14 4:22
ComboFix-quarantined-files.txt 2009-08-14 09:22
ComboFix2.txt 2009-08-14 09:07
ComboFix3.txt 2009-08-14 09:00
Pre-Run: 142,731,370,496 bytes free
Post-Run: 142,678,876,160 bytes free
230 --- E O F --- 2009-08-12 17:03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.345 [GMT -5:00]
Running from: c:\documents and settings\devry\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.
2009-08-13 22:08 . 2009-08-13 22:08 45344 ----a-w- c:\windows\system32\drivers\pnj7fb0.sys
2009-08-13 05:34 . 2009-08-14 00:08 -------- d-----w- c:\program files\trend micro
2009-08-13 05:33 . 2009-08-13 05:34 -------- d-----w- C:\rsit
2009-08-13 05:29 . 2009-08-13 05:29 -------- d-----w- c:\program files\ERUNT
2009-08-12 07:31 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:53 . 2009-08-12 17:10 -------- d-----w- C:\918a33bb93905ff2b83f
2009-08-12 01:40 . 2009-08-12 01:40 -------- d-----w- c:\documents and settings\devry\Application Data\Malwarebytes
2009-08-12 01:39 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 01:39 . 2009-08-12 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 01:39 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 01:39 . 2009-08-12 01:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 00:08 . 2009-08-12 02:24 -------- d-----w- C:\adab61f7192e14ffdf19a15749c0
2009-08-11 01:38 . 2009-08-11 01:38 -------- d-----w- c:\program files\Windows Defender
2009-08-09 17:35 . 2009-08-09 17:35 -------- d-----w- c:\windows\McAfee.com
2009-08-09 17:17 . 2009-08-09 17:17 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-09 17:07 . 2009-08-09 17:07 -------- d-----w- C:\32241fa13aa8c1c6fb1f98
2009-08-08 16:07 . 2009-08-11 12:05 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 13:00 . 2009-07-31 13:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\WMTools Downloaded Files
2009-07-28 16:06 . 2009-07-28 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-26 17:41 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-07-26 17:41 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-26 15:42 . 2009-07-26 15:42 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2009-07-26 03:56 . 2009-08-05 17:43 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Temp
2009-07-26 03:56 . 2009-08-10 02:01 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Google
2009-07-26 03:55 . 2009-07-26 03:55 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Mozilla
2009-07-18 02:08 . 2009-08-13 03:16 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Paint.NET
2009-07-18 02:05 . 2009-07-18 02:05 -------- d-----w- c:\documents and settings\devry\Local Settings\Application Data\Yahoo
2009-07-18 02:03 . 2009-07-18 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-18 02:03 . 2009-05-27 00:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-07-18 02:03 . 2009-07-18 02:03 -------- d-----w- c:\program files\Yahoo!
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 17:02 . 2007-05-09 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 19:31 . 2008-08-22 14:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2004-08-04 06:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 06:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 06:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 16:34 . 2009-07-11 16:34 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 16:30 . 2009-07-11 16:30 -------- d-----w- c:\program files\Paint.NET
2009-07-11 16:30 . 2007-05-09 15:05 84608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 03:02 . 2009-07-08 03:02 84608 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 11:46 . 2009-07-07 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-07 01:34 . 2007-09-01 14:36 84608 ----a-w- c:\documents and settings\devry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-04 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 06:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 06:56 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 06:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 06:56 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 06:56 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 06:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 06:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 06:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 04:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 06:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 06:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2007-05-09 14:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 06:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 06:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 06:56 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-14_08.59.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-07 16:35 . 2009-08-14 09:13 229774 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-08-14 09:12 . 2009-08-14 09:12 172032 c:\windows\ERDNT\AutoBackup\8-14-2009\Users\00000002\UsrClass.dat
+ 2009-08-14 09:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\8-14-2009\ERDNT.EXE
+ 2009-08-14 09:12 . 2009-08-14 09:12 3457024 c:\windows\ERDNT\AutoBackup\8-14-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-09-06 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-10-30 1116920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\devry\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-9 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 06:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 8:07 PM 39080]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:56 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:56 AM 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 7:13 PM 36608]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {09258F12-48E7-B18E-C414-1F48C215685F} /qb
.
Contents of the 'Scheduled Tasks' folder
2009-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 03:04]
2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1757981266-839522115-1011UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-08 03:04]
2009-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\devry\Application Data\Mozilla\Firefox\Profiles\8w948bkm.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 04:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\APSHook.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\APSHook.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-14 4:22
ComboFix-quarantined-files.txt 2009-08-14 09:22
ComboFix2.txt 2009-08-14 09:07
ComboFix3.txt 2009-08-14 09:00
Pre-Run: 142,731,370,496 bytes free
Post-Run: 142,678,876,160 bytes free
230 --- E O F --- 2009-08-12 17:03
#11
Posted 14 August 2009 - 03:50 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
How many times did you run ComboFix???
Do below please
Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
NEXT
Download this tool to desktop:
http://www2.gmer.net/mbr/mbr.exe
Double click it & post the log it creates on desktop. (mbr.log)
Do below please
Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
- Run SysProt >> Click on the Log tab
- Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
- Hit the Create Log button
- When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
- Let it scan until finish
- Find the log.txt inside the SysProt folder and attach the log here.
NEXT
Download this tool to desktop:
http://www2.gmer.net/mbr/mbr.exe
Double click it & post the log it creates on desktop. (mbr.log)
#12
Posted 14 August 2009 - 03:55 AM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
twice I wasnt sure if it did anything, or if it was supposed to.....
#13
Posted 14 August 2009 - 04:05 AM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 632
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 680
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 708
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 752
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 764
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 956
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1000
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1016
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1088
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Defender\MsMpEng.exe
PID: 1148
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1192
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 1228
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1288
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1332
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1424
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1708
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Defender\MSASCui.exe
PID: 480
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 508
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 516
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PID: 532
Hidden: No
Window Visible: No
Name: C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PID: 540
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
PID: 560
Hidden: No
Window Visible: Yes
Name: C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PID: 568
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\WLTRAY.EXE
PID: 296
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 648
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PID: 660
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PID: 1644
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PID: 1488
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2136
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PID: 2524
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2840
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\agrsmsvc.exe
PID: 2884
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IFXSPMGT.exe
PID: 2924
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IFXTCS.exe
PID: 2944
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 2988
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PID: 3028
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 3044
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PID: 3084
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PID: 3568
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PID: 3640
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PID: 3668
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IfxPsdSv.exe
PID: 3700
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PID: 4060
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\scardsvr.exe
PID: 3848
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
PID: 1564
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 2900
Hidden: No
Window Visible: No
Name: C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PID: 2400
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wscntfy.exe
PID: 3836
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2172
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 3760
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1952
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4048
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\devry\Local Settings\Temporary Internet Files\Content.IE5\KD7GNLOR\SysProt[1]\SysProt\SysProt.exe
PID: 1868
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\devry\Local Settings\Temporary Internet Files\Content.IE5\KD7GNLOR\SysProt[1]\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BAA02000
Module End: BAA0D000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7ADC000
Module End: F7ADE000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F79EC000
Module End: F79EF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F74AD000
Module End: F74DB000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7ADE000
Module End: F7AE0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F749C000
Module End: F74AD000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F75DC000
Module End: F75E6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F75EC000
Module End: F75FC000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F75FC000
Module End: F760A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F79F0000
Module End: F79F3000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F79F4000
Module End: F79F8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7BA4000
Module End: F7BA5000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F785C000
Module End: F7863000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F747E000
Module End: F749C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F760C000
Module End: F7617000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F745F000
Module End: F747E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7AE0000
Module End: F7AE2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7439000
Module End: F745F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F79F8000
Module End: F79FB000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7BA5000
Module End: F7BA6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7864000
Module End: F7869000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F761C000
Module End: F7629000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F7421000
Module End: F7439000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F762C000
Module End: F7635000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F763C000
Module End: F7649000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7401000
Module End: F7421000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F73EF000
Module End: F7401000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\DRVMCDB.SYS
Service Name: DRVMCDB
Module Base: F73D9000
Module End: F73EF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F764C000
Module End: F7655000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F73C2000
Module End: F73D9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7335000
Module End: F73C2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7308000
Module End: F7335000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F72EE000
Module End: F7308000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\hpdskflt.sys
Service Name: hpdskflt
Module Base: F765C000
Module End: F7665000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F780C000
Module End: F781A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6881000
Module End: F6A95000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F686D000
Module End: F6881000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Service Name: BCM43XX
Module Base: F6719000
Module End: F686D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F7944000
Module End: F7949000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F66F5000
Module End: F6719000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F794C000
Module End: F7954000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F781C000
Module End: F7827000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
Service Name: DLACDBHM
Module Base: F7B00000
Module End: F7B02000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F782C000
Module End: F783C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F783C000
Module End: F784B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F66D2000
Module End: F66F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F66AA000
Module End: F66D2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6696000
Module End: F66AA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
Service Name: IFXTPM
Module Base: F784C000
Module End: F7855000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F768C000
Module End: F7699000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7954000
Module End: F795A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F665F000
Module End: F6696000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7B02000
Module End: F7B04000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F795C000
Module End: F7962000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
Service Name: Accelerometer
Module Base: F769C000
Module End: F76A6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Service Name: HBtnKey
Module Base: F7ABC000
Module End: F7ABF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F76AC000
Module End: F76B5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7964000
Module End: F796B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F7AC0000
Module End: F7AC4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F7AC4000
Module End: F7AC7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Service Name: BTKRNL
Module Base: F658F000
Module End: F665F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7C92000
Module End: F7C93000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F76BC000
Module End: F76C9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7AC8000
Module End: F7ACB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6578000
Module End: F658F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F76CC000
Module End: F76D7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F76DC000
Module End: F76E8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F796C000
Module End: F7971000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F64C7000
Module End: F64D8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F76EC000
Module End: F76F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7974000
Module End: F7979000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F797C000
Module End: F7981000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6497000
Module End: F64C7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F76FC000
Module End: F7706000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7B04000
Module End: F7B06000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F6439000
Module End: F6497000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F72C2000
Module End: F72C6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F72AE000
Module End: F72B2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\btport.sys
Service Name: BTDriver
Module Base: F7984000
Module End: F798B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\btaudio.sys
Service Name: btaudio
Module Base: F6391000
Module End: F6411000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F636D000
Module End: F6391000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F770C000
Module End: F771B000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F771C000
Module End: F7726000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F774C000
Module End: F775B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: EE18C000
Module End: EE1D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\AEAudio.sys
Service Name: AEAudio
Module Base: EE174000
Module End: EE18C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: EE04E000
Module End: EE174000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F798C000
Module End: F7994000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\psd.sys
Service Name: PersonalSecureDrive
Module Base: F79A4000
Module End: F79AC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7B10000
Module End: F7B12000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7C0B000
Module End: F7C0C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7B12000
Module End: F7B14000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
Service Name: DLARTL_M
Module Base: F79B4000
Module End: F79BA000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F79BC000
Module End: F79C2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7B14000
Module End: F7B16000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7B16000
Module End: F7B18000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F79C4000
Module End: F79C9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F79CC000
Module End: F79D4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7A98000
Module End: F7A9B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EDFF3000
Module End: EE006000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EDF9A000
Module End: EDFF3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfetdik.sys
Service Name: mfetdik
Module Base: F776C000
Module End: F7778000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EDF74000
Module End: EDF9A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EDF4C000
Module End: EDF74000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F777C000
Module End: F7785000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EDE8A000
Module End: EDEAC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F778C000
Module End: F7795000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
Service Name: eabfiltr
Module Base: F7B18000
Module End: F7B1A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EDE5F000
Module End: EDE8A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EDDEF000
Module End: EDE5F000
Hidden: No
Module Name: \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
Service Name: mferkdk
Module Base: F79D4000
Module End: F79DB000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F77AC000
Module End: F77B7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\btwusb.sys
Service Name: BTWUSB
Module Base: F77BC000
Module End: F77CC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
Service Name: ATSWPDRV
Module Base: EDDA6000
Module End: EDDC7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F77EC000
Module End: F77FC000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDD8E000
Module End: EDDA6000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B1E000
Module End: F7B20000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F6317000
Module End: F631A000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7874000
Module End: F7879000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7D20000
Module End: F7D21000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Service Name: DRVNDDM
Module Base: F77FC000
Module End: F7807000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLADResM.SYS
Service Name: DLADResM
Module Base: F7CB8000
Module End: F7CB9000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
Service Name: DLAIFS_M
Module Base: EB936000
Module End: EB94E000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
Service Name: DLAOPIOM
Module Base: F78DC000
Module End: F78E1000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAPoolM.SYS
Service Name: DLAPoolM
Module Base: F7B40000
Module End: F7B42000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLABMFSM.SYS
Service Name: DLABMFSM
Module Base: F78E4000
Module End: F78EB000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLABOIOM.SYS
Service Name: DLABOIOM
Module Base: F78EC000
Module End: F78F3000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
Service Name: DLAUDFAM
Module Base: EB8F8000
Module End: EB90E000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
Service Name: DLAUDF_M
Module Base: EB8E1000
Module End: EB8F8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EB916000
Module End: EB91A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EB50C000
Module End: EB521000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EB791000
Module End: EB7A0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F702F000
Module End: F705C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7B90000
Module End: F7B92000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: F705C000
Module End: F7065000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: F6EC5000
Module End: F6F17000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: BADA6000
Module End: BADCE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: F799C000
Module End: F79A2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: BABA3000
Module End: BABC6000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: BAB3A000
Module End: BAB7B000
Hidden: No
Module Name: \??\C:\DOCUME~1\devry\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: BAD06000
Module End: BAD0E000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F7B6C000
Module End: F7B6E000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: BA7DF000
Module End: BA80A000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTerminateProcess
At Address: 805D29AA
Jump To: BADB934B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwSetValueKey
At Address: 80621D36
Jump To: BADB9335
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwRenameKey
At Address: 806231D2
Jump To: BADB9309
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenKey
At Address: 80624B82
Jump To: BADB92CB
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteValueKey
At Address: 80623E10
Jump To: BADB931F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteKey
At Address: 80623C40
Jump To: BADB92F3
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateKey
At Address: 806237B0
Jump To: BADB92DF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1298
Remote Address: IY-IN-F83.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1297
Remote Address: SPYNETTEST.MICROSOFT.COM:HTTPS
Type: TCP
Process: C:\Program Files\Windows Defender\MSASCui.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1272
Remote Address: IY-IN-F189.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1265
Remote Address: IY-IN-F83.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:49100
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1037
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1033
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:HTTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:HTTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:SMTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:FTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:1178
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:3456
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{098414C3-85A3-47AB-9C65-16B3D3A9FF52}
Status: Access denied
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 632
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 680
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 708
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 752
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 764
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 956
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1000
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1016
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1088
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Defender\MsMpEng.exe
PID: 1148
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1192
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 1228
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1288
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1332
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1424
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1708
Hidden: No
Window Visible: No
Name: C:\Program Files\Windows Defender\MSASCui.exe
PID: 480
Hidden: No
Window Visible: No
Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 508
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 516
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PID: 532
Hidden: No
Window Visible: No
Name: C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PID: 540
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
PID: 560
Hidden: No
Window Visible: Yes
Name: C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PID: 568
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\WLTRAY.EXE
PID: 296
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 648
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PID: 660
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PID: 1644
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PID: 1488
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2136
Hidden: No
Window Visible: Yes
Name: C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PID: 2524
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2840
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\agrsmsvc.exe
PID: 2884
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IFXSPMGT.exe
PID: 2924
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IFXTCS.exe
PID: 2944
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 2988
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PID: 3028
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 3044
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PID: 3084
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PID: 3568
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PID: 3640
Hidden: No
Window Visible: No
Name: C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PID: 3668
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\IfxPsdSv.exe
PID: 3700
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PID: 4060
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\scardsvr.exe
PID: 3848
Hidden: No
Window Visible: No
Name: C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
PID: 1564
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 2900
Hidden: No
Window Visible: No
Name: C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PID: 2400
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wscntfy.exe
PID: 3836
Hidden: No
Window Visible: No
Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2172
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 3760
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1952
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4048
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\devry\Local Settings\Temporary Internet Files\Content.IE5\KD7GNLOR\SysProt[1]\SysProt\SysProt.exe
PID: 1868
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\devry\Local Settings\Temporary Internet Files\Content.IE5\KD7GNLOR\SysProt[1]\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BAA02000
Module End: BAA0D000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7ADC000
Module End: F7ADE000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F79EC000
Module End: F79EF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F74AD000
Module End: F74DB000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7ADE000
Module End: F7AE0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F749C000
Module End: F74AD000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F75DC000
Module End: F75E6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F75EC000
Module End: F75FC000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F75FC000
Module End: F760A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F79F0000
Module End: F79F3000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F79F4000
Module End: F79F8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7BA4000
Module End: F7BA5000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F785C000
Module End: F7863000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F747E000
Module End: F749C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F760C000
Module End: F7617000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F745F000
Module End: F747E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7AE0000
Module End: F7AE2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7439000
Module End: F745F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F79F8000
Module End: F79FB000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7BA5000
Module End: F7BA6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7864000
Module End: F7869000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F761C000
Module End: F7629000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F7421000
Module End: F7439000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F762C000
Module End: F7635000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F763C000
Module End: F7649000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7401000
Module End: F7421000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F73EF000
Module End: F7401000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\DRVMCDB.SYS
Service Name: DRVMCDB
Module Base: F73D9000
Module End: F73EF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F764C000
Module End: F7655000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F73C2000
Module End: F73D9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7335000
Module End: F73C2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7308000
Module End: F7335000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F72EE000
Module End: F7308000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\hpdskflt.sys
Service Name: hpdskflt
Module Base: F765C000
Module End: F7665000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F780C000
Module End: F781A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6881000
Module End: F6A95000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F686D000
Module End: F6881000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Service Name: BCM43XX
Module Base: F6719000
Module End: F686D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F7944000
Module End: F7949000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F66F5000
Module End: F6719000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F794C000
Module End: F7954000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F781C000
Module End: F7827000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
Service Name: DLACDBHM
Module Base: F7B00000
Module End: F7B02000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F782C000
Module End: F783C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F783C000
Module End: F784B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F66D2000
Module End: F66F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F66AA000
Module End: F66D2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6696000
Module End: F66AA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
Service Name: IFXTPM
Module Base: F784C000
Module End: F7855000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F768C000
Module End: F7699000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7954000
Module End: F795A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F665F000
Module End: F6696000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7B02000
Module End: F7B04000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F795C000
Module End: F7962000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
Service Name: Accelerometer
Module Base: F769C000
Module End: F76A6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Service Name: HBtnKey
Module Base: F7ABC000
Module End: F7ABF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F76AC000
Module End: F76B5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7964000
Module End: F796B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F7AC0000
Module End: F7AC4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F7AC4000
Module End: F7AC7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Service Name: BTKRNL
Module Base: F658F000
Module End: F665F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7C92000
Module End: F7C93000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F76BC000
Module End: F76C9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7AC8000
Module End: F7ACB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6578000
Module End: F658F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F76CC000
Module End: F76D7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F76DC000
Module End: F76E8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F796C000
Module End: F7971000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F64C7000
Module End: F64D8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F76EC000
Module End: F76F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7974000
Module End: F7979000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F797C000
Module End: F7981000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6497000
Module End: F64C7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F76FC000
Module End: F7706000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7B04000
Module End: F7B06000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F6439000
Module End: F6497000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F72C2000
Module End: F72C6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F72AE000
Module End: F72B2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\btport.sys
Service Name: BTDriver
Module Base: F7984000
Module End: F798B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\btaudio.sys
Service Name: btaudio
Module Base: F6391000
Module End: F6411000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F636D000
Module End: F6391000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F770C000
Module End: F771B000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F771C000
Module End: F7726000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F774C000
Module End: F775B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: EE18C000
Module End: EE1D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\AEAudio.sys
Service Name: AEAudio
Module Base: EE174000
Module End: EE18C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: EE04E000
Module End: EE174000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F798C000
Module End: F7994000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\psd.sys
Service Name: PersonalSecureDrive
Module Base: F79A4000
Module End: F79AC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7B10000
Module End: F7B12000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7C0B000
Module End: F7C0C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7B12000
Module End: F7B14000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
Service Name: DLARTL_M
Module Base: F79B4000
Module End: F79BA000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F79BC000
Module End: F79C2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7B14000
Module End: F7B16000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7B16000
Module End: F7B18000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F79C4000
Module End: F79C9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F79CC000
Module End: F79D4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7A98000
Module End: F7A9B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EDFF3000
Module End: EE006000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EDF9A000
Module End: EDFF3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfetdik.sys
Service Name: mfetdik
Module Base: F776C000
Module End: F7778000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EDF74000
Module End: EDF9A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EDF4C000
Module End: EDF74000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F777C000
Module End: F7785000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EDE8A000
Module End: EDEAC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F778C000
Module End: F7795000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
Service Name: eabfiltr
Module Base: F7B18000
Module End: F7B1A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EDE5F000
Module End: EDE8A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EDDEF000
Module End: EDE5F000
Hidden: No
Module Name: \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
Service Name: mferkdk
Module Base: F79D4000
Module End: F79DB000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F77AC000
Module End: F77B7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\btwusb.sys
Service Name: BTWUSB
Module Base: F77BC000
Module End: F77CC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
Service Name: ATSWPDRV
Module Base: EDDA6000
Module End: EDDC7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F77EC000
Module End: F77FC000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDD8E000
Module End: EDDA6000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B1E000
Module End: F7B20000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F6317000
Module End: F631A000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7874000
Module End: F7879000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7D20000
Module End: F7D21000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
Service Name: DRVNDDM
Module Base: F77FC000
Module End: F7807000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLADResM.SYS
Service Name: DLADResM
Module Base: F7CB8000
Module End: F7CB9000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
Service Name: DLAIFS_M
Module Base: EB936000
Module End: EB94E000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
Service Name: DLAOPIOM
Module Base: F78DC000
Module End: F78E1000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAPoolM.SYS
Service Name: DLAPoolM
Module Base: F7B40000
Module End: F7B42000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLABMFSM.SYS
Service Name: DLABMFSM
Module Base: F78E4000
Module End: F78EB000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLABOIOM.SYS
Service Name: DLABOIOM
Module Base: F78EC000
Module End: F78F3000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
Service Name: DLAUDFAM
Module Base: EB8F8000
Module End: EB90E000
Hidden: No
Module Name: C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
Service Name: DLAUDF_M
Module Base: EB8E1000
Module End: EB8F8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EB916000
Module End: EB91A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EB50C000
Module End: EB521000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EB791000
Module End: EB7A0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F702F000
Module End: F705C000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7B90000
Module End: F7B92000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: F705C000
Module End: F7065000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: F6EC5000
Module End: F6F17000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: BADA6000
Module End: BADCE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: F799C000
Module End: F79A2000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: BABA3000
Module End: BABC6000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: BAB3A000
Module End: BAB7B000
Hidden: No
Module Name: \??\C:\DOCUME~1\devry\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: BAD06000
Module End: BAD0E000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: F7B6C000
Module End: F7B6E000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: BA7DF000
Module End: BA80A000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTerminateProcess
At Address: 805D29AA
Jump To: BADB934B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwSetValueKey
At Address: 80621D36
Jump To: BADB9335
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwRenameKey
At Address: 806231D2
Jump To: BADB9309
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenKey
At Address: 80624B82
Jump To: BADB92CB
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteValueKey
At Address: 80623E10
Jump To: BADB931F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteKey
At Address: 80623C40
Jump To: BADB92F3
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateKey
At Address: 806237B0
Jump To: BADB92DF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1298
Remote Address: IY-IN-F83.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1297
Remote Address: SPYNETTEST.MICROSOFT.COM:HTTPS
Type: TCP
Process: C:\Program Files\Windows Defender\MSASCui.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1272
Remote Address: IY-IN-F189.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1265
Remote Address: IY-IN-F83.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:49100
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1037
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1033
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:HTTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:HTTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:SMTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09:FTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: LISTENING
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09.GATEWAY.2WIRE.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:1178
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:3456
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\inetsrv\inetinfo.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: 6715B-STUDENTMSTR-21MAY09:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{098414C3-85A3-47AB-9C65-16B3D3A9FF52}
Status: Access denied
#14
Posted 14 August 2009 - 04:07 AM
ag9723
- Topic Starter
-
- Member
-
- 24 posts
Member
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
#15
Posted 14 August 2009 - 04:16 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Update and run your Malwarebytes' again >> remove everything that it found >> post the log here >> then do below...
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
How's the computer now?
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan
Wait for the scan to finish - Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
How's the computer now?
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
