Need Help with "Wireshark Antivirus" attack
#1
Posted 06 August 2010 - 09:32 PM
#2
Posted 07 August 2010 - 04:16 AM
Here is the MBAM Log.
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\ (Broken.OpenCommand) -> Bad: (C:\Program Files\conhost.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\csrss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
#4
Posted 12 August 2010 - 06:51 AM
Try this guide
I case there are you should follow this after that.
Ooops, didn't know there was a "waiting" room". So after 5 days I still haven't got this figured out. I in-fact can't even get on-line with my computer any longer. Writing this from work computer. I get blocked out when I try to do anything so now I'm really stuck. I tried a few things and what is weird is that I managed to get to my email program and it received messages. Trying to get to the interent however results in fake security center messages from "Virus Soft" or "Security Suite".
#6
Posted 12 August 2010 - 03:41 PM
OK
You can follow the first guide.
Use a clean computer that you can access Internet from and download mbam-setup.exe rename it to mbam-setup.com
Save it to a memory-stick and transfer it to the infected computer.
Follow the rest of the guide.
Any luck?
OK I'll see what I can do tomorrow. I'll post the MBAM log as soon as I can get it. Thanks for the Help !
#7
Posted 12 August 2010 - 03:44 PM
#8
Posted 13 August 2010 - 11:17 AM
OK
OK here's where I'm at after system restore that I finally was able to get accomplished. My McAfee is disabled and I'm getting redirected.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4424
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
8/13/2010 11:33:16 AM
mbam-log-2010-08-13 (11-33-16).txt
Scan type: Full scan (C:\|)
Objects scanned: 180431
Time elapsed: 1 hour(s), 19 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otensfbo (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otensfbo (Rogue.AntivirusSuite.Gen) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\xfsmoetnw\jvowpyrshdw.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\gilnnw.exe (Trojan.FakeAlert) -> No action taken.
#9
Posted 13 August 2010 - 12:13 PM
-> No action taken.
You need to let MBAM remove what it finds.
Rerun MBAM again and post the log.
#10
Posted 13 August 2010 - 03:29 PM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4424
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
8/13/2010 4:21:19 PM
mbam-log-2010-08-13 (16-21-19).txt
Scan type: Full scan (C:\|)
Objects scanned: 183104
Time elapsed: 2 hour(s), 10 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#11
Posted 13 August 2010 - 03:52 PM
Step 1.
Security check:
Download Security Check by screen317 from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Step 2.
GMER-scan:
GMER Rootkit Scanner - Download - Homepage
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
Step 3.
OTL-scan:
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Standard Output.
- Underneath the option Extra Registry change it to Use SafeList.
- Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
Step 4.
Things I would like to see in your reply:
- The content of checkup.txt from step 1.
- The content of ark.txt from step 2.
- The content of OTL.txt and Extras.txt from step 3.
#12
Posted 13 August 2010 - 07:40 PM
#13
Posted 13 August 2010 - 07:41 PM
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
McAfee Virtual Technician
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java 6 Update 13
Java 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbam.exe
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
#14
Posted 13 August 2010 - 07:42 PM
Rootkit scan 2010-08-13 17:17:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\shannon1\LOCALS~1\Temp\axldypog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF22FB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF22FB821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF22FB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF22FB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF22FB835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF22FB861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF22FB8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF22FB8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF22FB7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF22FB8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF22FB80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF22FB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF22FB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF22FB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF22FB937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF22FB8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF22FB88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF22FB84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF22FB923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF22FB90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF22FB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF22FB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF22FB877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF22FB7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF22FB8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF22FB7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF22FB7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60FA5
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F6009A
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60073
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FC0
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F6003D
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F83
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F94
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F5E
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60101
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F4D
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60062
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60000
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F600BF
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F6002C
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60011
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600F0
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FA8
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40FC3
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FDE
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40033
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40018
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FAF
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50047
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50000
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FD4
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5002C
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F5001B
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50F94
.text C:\Program Files\Messenger\msmsgs.exe[500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30000
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F2000A
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F20FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F20FDE
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F20FCD
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E005E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F69
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0043
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0F86
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0FA8
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00A0
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0F4E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F29
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00C2
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E00D3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0F97
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FD4
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E0079
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0014
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0FC3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00B1
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060044
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F2B
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F46
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0F57
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0F72
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0F9E
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0056
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0045
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0093
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0078
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0EDF
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0F83
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0F1A
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FAF
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0067
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FC0
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FD1
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10042
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10027
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FD2
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\system32\lsass.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CF0022
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CF0FC7
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025A0FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025A0F5C
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025A0F77
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025A0051
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025A0040
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025A001E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025A0078
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025A0F30
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025A00AE
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025A0093
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025A00BF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025A002F
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025A0FDE
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025A0F41
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025A0FB2
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025A0FC3
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025A0F15
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0259002C
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0259006C
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0259001B
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02590FE5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02590FA5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02590000
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02590FC0
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [79, 8A] {JNS 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02590047
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02580FAD
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 02580FC8
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02580027
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02580000
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02580038
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02580FE3
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02570000
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30071
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D30F86
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F97
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30FA8
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30F44
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F61
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30EF3
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D30F0E
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D30ED8
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30040
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D3008C
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30025
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F29
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D2005B
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D2001E
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D2004A
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D20039
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FBC
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10038
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10027
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FC8
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\System32\svchost.exe[880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0039
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F44
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F6B
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F7C
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0EFB
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F18
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC006F
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0ED6
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0094
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FDB
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F29
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0054
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0014
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F8D
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FDE
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB004A
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0039
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FB2
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0FB0
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0031
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0016
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FE3
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FC1
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E90000
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E9001B
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030091
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0103006C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0103005B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030F9E
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030036
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F66
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F77
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030F29
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F44
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F18
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030FAF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010300A2
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FC0
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030FD1
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F55
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0102005B
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020011
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020F9E
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [22, 89]
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010FB9
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010044
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0101000C
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010029
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03200F59
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03200F6A
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0320004E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03200033
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03200FB6
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03200069
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03200F17
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0320008E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03200EF5
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03200EE4
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03200F9B
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03200011
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03200F3E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03200FC7
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03200022
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03200F06
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031F0FB9
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031F0F94
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031F0FCA
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031F0FDB
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031F0051
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031F0000
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 031F0040
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031F0025
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\System32\svchost.exe[1036] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031E003B
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 031E0020
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031E0FB7
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031E0FE3
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031E0FA6
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031E0FD2
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 031C0000
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 031C0FEF
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 031C0025
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 031C0036
.text C:\WINDOWS\System32\svchost.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031D0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0093
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0078
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F005B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0040
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F00B0
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F0F68
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F010B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F00F0
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0F57
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0F83
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0025
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00CB
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0014
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E005B
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E004A
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009E002F
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0FB2
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0FC1
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D004C
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FE3
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0000
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FD2
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0040
.text C:\WINDOWS\System32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C4002F
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4001E
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F50
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40F61
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40F8D
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C4005B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F13
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40087
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40EDD
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40F7C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C4004A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FA8
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40EF8
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30065
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA6
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20031
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FC1
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20016
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01940FEF
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 019400B5
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 019400A4
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01940087
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01940076
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0194004A
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01940F77
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01940F94
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01940F41
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01940F52
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019400EB
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01940065
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0194000A
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01940FA5
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01940FDE
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01940025
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 019400DA
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90F83
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9004A
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9002F
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C8006E
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80053
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001D
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80038
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C8000C
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60000
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C6002F
.text C:\WINDOWS\Explorer.EXE[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380F8A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00380FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00380047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00380000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0038002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 3E352139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 3E35216A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390FD7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00390022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0076
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F8B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0FA8
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D005B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FB9
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F4E
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F5F
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00B1
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F18
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0EFD
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D004A
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FE5
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F70
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D001B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F33
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0038
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0027
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC8
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FB7
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FE3
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FAF
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0051
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0036
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F94
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0011
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FB9
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900014
.text C:\Program Files\Outlook Express\msimn.exe[2248] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0FEF
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----
#15
Posted 13 August 2010 - 07:46 PM
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\shannon1\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
511.00 Mb Total Physical Memory | 205.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 48.08 Gb Free Space | 64.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SHANNON
Current User Name: shannon1
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard
========== Processes (SafeList) ==========
PRC - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
PRC - [2010/08/13 17:02:27 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/12/15 11:24:48 | 000,293,376 | R--- | M] () -- C:\Documents and Settings\shannon1\Local Settings\temp\Temporary Directory 1 for gmer.zip\gmer.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/17 14:29:04 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/11 11:06:36 | 000,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/04/13 19:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 19:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2008/04/03 15:48:49 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/11/01 17:13:26 | 000,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
PRC - [2006/12/18 19:13:04 | 002,465,792 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2002/01/30 19:30:48 | 000,212,992 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\NkView5\NkvMon.exe
========== Modules (SafeList) ==========
MOD - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
MOD - [2009/02/11 11:06:38 | 000,014,032 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/02/11 11:06:36 | 000,210,216 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
========== Driver Services (SafeList) ==========
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2006/10/20 14:03:04 | 000,183,552 | ---- | M] (CyberLink Corporation.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\CLBUDFR.sys -- (CLBUDFR)
DRV - [2006/10/20 14:03:04 | 000,010,368 | ---- | M] (Cyberlink Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\CLBStor.sys -- (CLBStor)
DRV - [2003/08/28 18:58:00 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2003/05/02 15:19:00 | 001,312,555 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/05/19 07:01:15 | 000,000,000 | ---D | M]
[2010/08/10 08:34:02 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml
O1 HOSTS File: ([2009/04/17 13:53:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [EverioService] C:\Program Files\CyberLink\PCM4Everio\EverioService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (Cyberlink)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\shannon1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...90/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1174165687968 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) - File not found
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/05 01:00:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users