Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need Help with "Wireshark Antivirus" attack


  • This topic is locked This topic is locked

#1
TS2009

TS2009

    Member

  • Member
  • PipPip
  • 55 posts
Help ! My computer has been attacked by a very vicious virus calling itself "WireShark Antivirus". I am unable to accomplish the first steps outlined in the removal guide. Each time I try to run TFC, ERUNT, and Malware this virus blocks my attempts. I have no idea what to do next ? Crazy security warning messages keep popping up and I'm being redirected all over the place. My computer is running really slow and it's a wonder I can even get to this site. Thanks in advance on what to do next ?
  • 0

Advertisements


#2
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I was finally able to run a Malware scan by using the TaskManager to hold the virus off. It was able to delete infected files with the exception of one. It was a CSRSS.EXE file.

Here is the MBAM Log.
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qtupdate (Heuristics.Reserved.Word.Exploit) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\ (Broken.OpenCommand) -> Bad: (C:\Program Files\conhost.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\csrss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
  • 0

#3
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Try this guide

I case there are you should follow this after that.
  • 0

#4
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts

Try this guide

I case there are you should follow this after that.


Ooops, didn't know there was a "waiting" room". So after 5 days I still haven't got this figured out. I in-fact can't even get on-line with my computer any longer. Writing this from work computer. I get blocked out when I try to do anything so now I'm really stuck. I tried a few things and what is weird is that I managed to get to my email program and it received messages. Trying to get to the interent however results in fake security center messages from "Virus Soft" or "Security Suite".
  • 0

#5
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
OK

You can follow the first guide.

Use a clean computer that you can access Internet from and download mbam-setup.exe rename it to mbam-setup.com
Save it to a memory-stick and transfer it to the infected computer.

Follow the rest of the guide.

Any luck?
  • 0

#6
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts

OK

You can follow the first guide.

Use a clean computer that you can access Internet from and download mbam-setup.exe rename it to mbam-setup.com
Save it to a memory-stick and transfer it to the infected computer.

Follow the rest of the guide.

Any luck?


OK I'll see what I can do tomorrow. I'll post the MBAM log as soon as I can get it. Thanks for the Help !
  • 0

#7
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
OK
  • 0

#8
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts

OK


OK here's where I'm at after system restore that I finally was able to get accomplished. My McAfee is disabled and I'm getting redirected.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4424

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/13/2010 11:33:16 AM
mbam-log-2010-08-13 (11-33-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 180431
Time elapsed: 1 hour(s), 19 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otensfbo (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otensfbo (Rogue.AntivirusSuite.Gen) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\xfsmoetnw\jvowpyrshdw.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\gilnnw.exe (Trojan.FakeAlert) -> No action taken.
  • 0

#9
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

-> No action taken.


You need to let MBAM remove what it finds.

Rerun MBAM again and post the log.
  • 0

#10
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Malware finds nothing now. McAfee however is now inoperable and I'm unable to do anything with it. I now have a warning symbol and it's telling me that my computer is not protected ??


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4424

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/13/2010 4:21:19 PM
mbam-log-2010-08-13 (16-21-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 183104
Time elapsed: 2 hour(s), 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#11
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's have a deeper look.

Step 1.
Security check:

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2.
GMER-scan:

Posted Image GMER Rootkit Scanner - Download - Homepage
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.


Step 3.
OTL-scan:


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Underneath the option Extra Registry change it to Use SafeList.
  • Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 4.
Things I would like to see in your reply:

  • The content of checkup.txt from step 1.
  • The content of ark.txt from step 2.
  • The content of OTL.txt and Extras.txt from step 3.

  • 0

#12
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
OK I've completed the steps ! Log reports to follow ASAP !
  • 0

#13
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee SecurityCenter
McAfee Virtual Technician
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
  • 0

#14
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-13 17:17:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\shannon1\LOCALS~1\Temp\axldypog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF22FB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF22FB821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF22FB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF22FB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF22FB835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF22FB861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF22FB8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF22FB8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF22FB7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF22FB8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF22FB80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF22FB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF22FB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF22FB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF22FB937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF22FB8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF22FB88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF22FB84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF22FB923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF22FB90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF22FB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF22FB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF22FB877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF22FB7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF22FB8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF22FB7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF22FB7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60FA5
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F6009A
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60073
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FC0
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F6003D
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F83
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F94
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F5E
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60101
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F4D
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60062
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60000
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F600BF
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F6002C
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60011
.text C:\Program Files\Messenger\msmsgs.exe[500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600F0
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FA8
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40FC3
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FDE
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40033
.text C:\Program Files\Messenger\msmsgs.exe[500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40018
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50FAF
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50047
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F50000
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FD4
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5002C
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F5001B
.text C:\Program Files\Messenger\msmsgs.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50F94
.text C:\Program Files\Messenger\msmsgs.exe[500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30000
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F2000A
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F20FEF
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F20FDE
.text C:\Program Files\Messenger\msmsgs.exe[500] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F20FCD
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E005E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F69
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0043
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0F86
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0FA8
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00A0
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0F4E
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F29
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00C2
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E00D3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0F97
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FD4
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E0079
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0014
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0FC3
.text C:\WINDOWS\system32\services.exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00B1
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060044
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[684] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F2B
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F46
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0F57
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0F72
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0F9E
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0056
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0045
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0093
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0078
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0EDF
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0F83
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0F1A
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FAF
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0067
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FC0
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FD1
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10042
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10027
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FD2
.text C:\WINDOWS\system32\lsass.exe[696] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\system32\lsass.exe[696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CF0022
.text C:\WINDOWS\system32\lsass.exe[696] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CF0FC7
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025A0FEF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025A0F5C
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025A0F77
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025A0051
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025A0040
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025A001E
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025A0078
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025A0F30
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025A00AE
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025A0093
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025A00BF
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025A002F
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025A0FDE
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025A0F41
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025A0FB2
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025A0FC3
.text C:\WINDOWS\system32\svchost.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025A0F15
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0259002C
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0259006C
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0259001B
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02590FE5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02590FA5
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02590000
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02590FC0
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [79, 8A] {JNS 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02590047
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02580FAD
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 02580FC8
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02580027
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02580000
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02580038
.text C:\WINDOWS\system32\svchost.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02580FE3
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[856] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02570000
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30071
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D30F86
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F97
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30FA8
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30F44
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F61
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30EF3
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D30F0E
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D30ED8
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30040
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D3008C
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30025
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D30F29
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FCD
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D2005B
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D2001E
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D2004A
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D20039
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20FBC
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10038
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10027
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10FC8
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FB7
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\System32\svchost.exe[880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0039
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F44
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F6B
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F7C
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0EFB
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F18
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC006F
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0ED6
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0094
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FDB
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F29
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0054
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0014
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F8D
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FC3
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FDE
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB004A
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0039
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FB2
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0FB0
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0031
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0016
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FE3
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FC1
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E90000
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E9001B
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01030091
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0103006C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0103005B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01030F9E
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01030036
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01030F66
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01030F77
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01030F29
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01030F44
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01030F18
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01030FAF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010300A2
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01030FC0
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01030FD1
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01030F55
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0102005B
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01020FE5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01020011
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01020F9E
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01020FAF
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [22, 89]
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01020036
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010FB9
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010044
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0101000C
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010029
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03200000
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03200F59
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03200F6A
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0320004E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03200033
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03200FB6
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03200069
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03200F17
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0320008E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03200EF5
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03200EE4
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03200F9B
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03200011
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03200F3E
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03200FC7
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03200022
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03200F06
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031F0FB9
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031F0F94
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031F0FCA
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031F0FDB
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031F0051
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031F0000
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 031F0040
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031F0025
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\System32\svchost.exe[1036] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031E003B
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 031E0020
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031E0FB7
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031E0FE3
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031E0FA6
.text C:\WINDOWS\System32\svchost.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031E0FD2
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 031C0000
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 031C0FEF
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 031C0025
.text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 031C0036
.text C:\WINDOWS\System32\svchost.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031D0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0093
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0078
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F005B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0040
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F00B0
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F0F68
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F010B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F00F0
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0F57
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0F83
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0025
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00CB
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0014
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E005B
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E004A
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009E002F
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0FB2
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0FC1
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D004C
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FE3
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0000
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D0FD2
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0040
.text C:\WINDOWS\System32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C4002F
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4001E
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F50
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40F61
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40F8D
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C4005B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F13
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40087
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40EDD
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40F7C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C4004A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FA8
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40EF8
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30065
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA6
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20031
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FC1
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20016
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1524] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01940FEF
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 019400B5
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 019400A4
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01940087
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01940076
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0194004A
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01940F77
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01940F94
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01940F41
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01940F52
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019400EB
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01940065
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0194000A
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01940FA5
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01940FDE
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01940025
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 019400DA
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90F83
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9004A
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9002F
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C8006E
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80053
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001D
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80038
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C8000C
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60000
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C6002F
.text C:\WINDOWS\Explorer.EXE[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00380FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00380F8A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00380FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00380FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00380047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00380000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0038002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00380011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 3E352139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 3E35216A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390FD7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00390022
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2152] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0076
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F8B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0FA8
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D005B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FB9
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F4E
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F5F
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00B1
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F18
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0EFD
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D004A
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FE5
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F70
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D001B
.text C:\Program Files\Outlook Express\msimn.exe[2248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F33
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0038
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0027
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC8
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FB7
.text C:\Program Files\Outlook Express\msimn.exe[2248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FE3
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FAF
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0051
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0000
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0036
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F94
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\Program Files\Outlook Express\msimn.exe[2248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0011
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FCA
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FB9
.text C:\Program Files\Outlook Express\msimn.exe[2248] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900014
.text C:\Program Files\Outlook Express\msimn.exe[2248] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
  • 0

#15
TS2009

TS2009

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
OTL logfile created on: 8/13/2010 5:24:41 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\shannon1\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 205.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 48.08 Gb Free Space | 64.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SHANNON
Current User Name: shannon1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
PRC - [2010/08/13 17:02:27 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/12/15 11:24:48 | 000,293,376 | R--- | M] () -- C:\Documents and Settings\shannon1\Local Settings\temp\Temporary Directory 1 for gmer.zip\gmer.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/17 14:29:04 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/11 11:06:36 | 000,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/04/13 19:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 19:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2008/04/03 15:48:49 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/11/01 17:13:26 | 000,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
PRC - [2006/12/18 19:13:04 | 002,465,792 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2002/01/30 19:30:48 | 000,212,992 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\NkView5\NkvMon.exe


========== Modules (SafeList) ==========

MOD - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
MOD - [2009/02/11 11:06:38 | 000,014,032 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/02/11 11:06:36 | 000,210,216 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)


========== Driver Services (SafeList) ==========

DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2006/10/20 14:03:04 | 000,183,552 | ---- | M] (CyberLink Corporation.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\CLBUDFR.sys -- (CLBUDFR)
DRV - [2006/10/20 14:03:04 | 000,010,368 | ---- | M] (Cyberlink Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\CLBStor.sys -- (CLBStor)
DRV - [2003/08/28 18:58:00 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2003/05/02 15:19:00 | 001,312,555 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/05/19 07:01:15 | 000,000,000 | ---D | M]

[2010/08/10 08:34:02 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2009/04/17 13:53:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [EverioService] C:\Program Files\CyberLink\PCM4Everio\EverioService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (Cyberlink)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\shannon1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...90/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1174165687968 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) - File not found
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/05 01:00:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP