Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a virtuomonde and vundo virus


  • Please log in to reply
19 replies to this topic

#1 chulomex3

chulomex3

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 16 April 2009 - 08:04 PM

:thumbsup:

I've never posted at a place to help but I hear you guys can help. I have hijack this installed.

I have a laripoke.dll, sutinaso.dll, and solumeje.dll rundll that keep trying to run. Anyway here's my log file.

I have Media Center running and I don't know what else to include that would be helpful to know.

Edited by chulomex3, 16 April 2009 - 08:16 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 16 April 2009 - 09:26 PM

Please hold the log from HJT. We cannot process those here.

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#3 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 16 April 2009 - 11:23 PM

It found 3 things. But FYI it has always found the 3 and I always fix the 3 with Malwarebytes. Here's the log.
And thanks for your help. :thumbsup:




Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 3

4/16/2009 9:21:12 PM
mbam-log-2009-04-16 (21-21-12).txt

Scan type: Quick Scan
Objects scanned: 90472
Time elapsed: 35 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zukesarobu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf3c11365 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0f220f9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 17 April 2009 - 01:29 PM

Those files are now our target. Our next step...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#5 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 17 April 2009 - 10:58 PM

As requested.




SDFix: Version 1.240
Run by Joe on Fri 04/17/2009 at 05:51

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 18:54:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000e0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" , "
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\ehome\\ehshell.exe"="C:\\WINDOWS\\ehome\\ehshell.exe:LocalSubNet:Enabled:Media Center"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Vuze\\Azureus.exe"="C:\\Program Files\\Vuze\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"="C:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe:*:Enabled:Live Mesh Remote Desktop"
"C:\\Documents and Settings\\Joe\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"="C:\\Documents and Settings\\Joe\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe:*:Enabled:Live Mesh"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"="C:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe:*:Enabled:Verizon Media Manager Executable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Thu 16 Apr 2009 10,049,016 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Tue 31 Mar 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 31 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 4 Apr 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"

Finished!

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 18 April 2009 - 10:45 AM

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#7 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 19 April 2009 - 12:38 AM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4019 (20090418)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a42176e9d63c4a4c84bcd8a7ce4cf123
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-19 04:19:06
# local_time=2009-04-18 09:19:06 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=401275
# found=2
# scan_time=27168
C:\Users\Joe\Documents\LimeWire\Incomplete\T-3545427-here comes bride [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) C67D77C9264A8B6B0714D0CD343E2B7D
E:\Joe\Documents\LimeWire\Incomplete\T-3545427-here comes bride [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) C67D77C9264A8B6B0714D0CD343E2B7D

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 19 April 2009 - 05:33 PM

very good...

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Then update and rerun Malwarebytes. Post its new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#9 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 20 April 2009 - 10:47 PM

SUPERanti Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/20/2009 at 12:58 PM

Application Version : 4.26.1000

Core Rules Database Version : 3852
Trace Rules Database Version: 1805

Scan type : Complete Scan
Total Scan Time : 15:58:17

Memory items scanned : 329
Memory threats detected : 0
Registry items scanned : 5151
Registry threats detected : 1
File items scanned : 131968
File threats detected : 3

Rogue.Component/Trace
HKU\S-1-5-21-839522115-2025429265-1417001333-1005\Software\Microsoft\FIAS4057

Adware.Vundo/Variant-MSFake
C:\INSTALL\DOTNETFX11.EXE

Trojan.Unknown Origin
D:\RECYCLER\S-1-5-21-1085031214-1801674531-725345543-1003\DD96.BUP
D:\RECYCLER\S-1-5-21-1085031214-1801674531-725345543-1003\DD97.IFO






MalwareBytes Log

Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

4/20/2009 08:47:02 PM
mbam-log-2009-04-20 (20-47-02).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 243088
Time elapsed: 1 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zukesarobu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf3c11365 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0f220f9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 21 April 2009 - 06:28 AM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#11 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 21 April 2009 - 10:08 AM

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 08:02
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD2F0000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5FC000 Size: 8192 File Visible: No
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBA787000 Size: 2560 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9485000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\mcmsc_hfF3SokFh8JZLQy
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_ttCLz75KqB7HWhz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Joe\Local Settings\Temp\Perflib_Perfdata_a84.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe-BEDROOM-Joe-2009-04-19-142622.log
Status: Size mismatch (API: 2210805, Raw: 2210189)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece506

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ebd240

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9ebd432

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9ececc8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecef88

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecd3ec

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecf3ec

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece7b8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xad471df0

Stealth Objects
-------------------
Object: Hidden Module [Name: Microsoft.Live.Moe.ExceptionFilterLibrary.dll]
Process: Moe.exe (PID: 1956) Address: 0x00fc0000 Size: 28672

Object: Hidden Module [Name: Microsoft.Live.Moe.Runtime.dll]
Process: Moe.exe (PID: 1956) Address: 0x03050000 Size: 913408

Object: Hidden Module [Name: Microsoft.Live.Moe.Runtime.Platform.dll]
Process: Moe.exe (PID: 1956) Address: 0x03150000 Size: 151552

Object: Hidden Module [Name: Microsoft.Live.Moe.Resources.dll]
Process: Moe.exe (PID: 1956) Address: 0x03600000 Size: 299008

Object: Hidden Module [Name: Microsoft.Live.Moe.Synchronization.dll]
Process: Moe.exe (PID: 1956) Address: 0x03800000 Size: 610304

Object: Hidden Module [Name: Microsoft.Live.Moe.RDPServices.dll]
Process: Moe.exe (PID: 1956) Address: 0x03950000 Size: 53248

Object: Hidden Module [Name: Microsoft.Live.Moe.Communications.dll]
Process: Moe.exe (PID: 1956) Address: 0x038c0000 Size: 421888

Object: Hidden Module [Name: Microsoft.Live.Moe.ClientNotification.dll]
Process: Moe.exe (PID: 1956) Address: 0x03940000 Size: 53248

Object: Hidden Module [Name: System.Data.SqlServerCe.dll]
Process: Moe.exe (PID: 1956) Address: 0x04af0000 Size: 208896

Object: Hidden Module [Name: Microsoft.Live.Moe.Synchronization.Platform.dll]
Process: Moe.exe (PID: 1956) Address: 0x04ad0000 Size: 110592

Object: Hidden Module [Name: System.Runtime.Serialization.dll]
Process: Moe.exe (PID: 1956) Address: 0x05740000 Size: 299008

Object: Hidden Module [Name: System.ServiceModel.dll]
Process: Moe.exe (PID: 1956) Address: 0x083f0000 Size: 331776

Object: Hidden Module [Name: mscorlib.dll]
Process: Moe.exe (PID: 1956) Address: 0x10000000 Size: 1462272

Object: Hidden Module [Name: System.Xml.dll]
Process: Moe.exe (PID: 1956) Address: 0x6c6a0000 Size: 323584

Object: Hidden Module [Name: System.ServiceModel.Syndication.dll]
Process: Moe.exe (PID: 1956) Address: 0x6c5e0000 Size: 118784

Object: Hidden Module [Name: System.dll]
Process: Moe.exe (PID: 1956) Address: 0x79000000 Size: 241664

Object: Hidden Module [Name: Microsoft.WlcProfile.dll]
Process: Moe.exe (PID: 1956) Address: 0x7baf0000 Size: 733184

Object: Hidden Module [Name: mscorlib.debug.resources.dll]
Process: Moe.exe (PID: 1956) Address: 0x7bd80000 Size: 192512

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 21 April 2009 - 08:16 PM

We need to take another look...

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#13 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 22 April 2009 - 02:20 AM

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-22 00:16:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9ECE506]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9EBD240]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9EBD432]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9ECECC8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9ECEF88]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9ECD3EC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9ECF3EC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9ECE7B8]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD471DF0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAD3B44BC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAD3B45EC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAD3B45D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAD3B44FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAD3B4618]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAD3B4440]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAD3B4454]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAD3B44D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAD3B4654]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAD3B45C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAD3B45AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAD3B4640]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAD3B462C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAD3B44A8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAD3B4494]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAD3B4602]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAD3B4512]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAD3B44E6]
Code 6350EB57 IoReportHalResourceUsage
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AD3B44EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AD3B44C0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AD3B4500 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AD3B4516 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AD3B44D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP AD3B4444 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP AD3B4458 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AD3B4498 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AD3B44AC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP AD3B45AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP AD3B4606 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP AD3B45C4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP AD3B45F0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP AD3B45DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP AD3B4658 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP AD3B4630 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP AD3B4644 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP AD3B461C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001
.text C:\Program Files\Google\Update\GoogleUpdate.exe[176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03530001
.text C:\WINDOWS\system32\msdtc.exe[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00700001
.text C:\WINDOWS\system32\msdtc.exe[456] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03400001
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DC0001
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\csrss.exe[568] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01630001
.text C:\WINDOWS\system32\winlogon.exe[600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011C0001
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C0FEF
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!VirtualProtectEx 7C801A61 3 Bytes JMP 010C0F7C
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!VirtualProtectEx + 4 7C801A65 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!VirtualProtect 7C801AD4 3 Bytes JMP 010C0F8D
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!VirtualProtect + 4 7C801AD8 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010C0067
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00920001
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExA 7C801D53 3 Bytes JMP 010C0F9E
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExA + 4 7C801D57 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryA 7C801D7B 3 Bytes JMP 010C0FC0
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryA + 4 7C801D7F 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetStartupInfoW 7C801E54 3 Bytes JMP 010C0F50
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetStartupInfoW + 4 7C801E58 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010C00A2
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateProcessW 7C802336 3 Bytes JMP 010C00D1
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateProcessW + 4 7C80233A 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateProcessA 7C80236B 3 Bytes JMP 010C0F2E
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateProcessA + 4 7C80236F 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetProcAddress 7C80AE40 3 Bytes JMP 010C00E2
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetProcAddress + 4 7C80AE44 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryW 7C80AEEB 3 Bytes JMP 010C0FAF
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryW + 4 7C80AEEF 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010C000A
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010C0F6B
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010C002C
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010C001B
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010C0F3F
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010B002F
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010B0F8D
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010B0FDE
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010B0FEF
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010B004A
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010B000A
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010B0FA8
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2B, 89]
.text C:\WINDOWS\system32\services.exe[648] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010B0FB9
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010A002C
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!system 77C293C7 5 Bytes JMP 010A001B
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010A0FE3
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010A0FAB
.text C:\WINDOWS\system32\services.exe[648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010A0FC6
.text C:\WINDOWS\system32\services.exe[648] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018D0FEF
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 018D0F66
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 018D0F77
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 018D0051
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 018D0F9E
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 018D001B
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018D0F1D
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 018D0F3A
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018D00A2
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018D0091
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 018D0EF8
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 018D0036
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 018D0FCA
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 018D0F4B
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 018D0FB9
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 018D0000
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 018D0076
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 018C0011
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 018C004E
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 018C0FCA
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 018C0000
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 018C003D
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 018C0FEF
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 018C0F9B
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AC, 89]
.text C:\WINDOWS\system32\lsass.exe[660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 018C0022
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018B005F
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!system 77C293C7 5 Bytes JMP 018B0044
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018B0029
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018B000C
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018B0FD4
.text C:\WINDOWS\system32\lsass.exe[660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018B0FEF
.text C:\WINDOWS\system32\lsass.exe[660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014D0000
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[708] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02960001
.text C:\WINDOWS\system32\Ati2evxx.exe[828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B6008E
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B6007D
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60FA5
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E00001
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60062
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B6002C
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B600BA
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B600A9
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600DC
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F4D
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600F7
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60051
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F7E
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B600CB
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50FB2
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50039
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FC3
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50F7C
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B5001E
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50F97
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40FAD
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40038
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B4001D
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40FD2
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10FAD
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10FBE
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D100A2
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10091
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10065
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100C7
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F7F
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100E9
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F50
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F2B
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10076
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F9C
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1004A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100D8
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00036
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00076
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 88]
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D0005B
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0F90
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FAB
.text C:\WINDOWS\system32\svchost.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FC6
.text C:\WINDOWS\system32\svchost.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02940FEF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02940082
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02940F8D
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02940F9E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A50001
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02940FAF
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02940040
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 029400A7
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02940F5F
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 029400F1
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02940F4E
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02940102
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02940051
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0294000A
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02940F7C
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02940025
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02940FD4
.text C:\WINDOWS\System32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 029400CC
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 028A0FD4
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 028A0F8A
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 028A0025
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 028A000A
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 028A0051
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 028A0FEF
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 028A0040
.text C:\WINDOWS\System32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 028A0FB9
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02890F92
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 0289001D
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02890FD2
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02890000
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02890FAD
.text C:\WINDOWS\System32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02890FE3
.text C:\WINDOWS\System32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A60FE5
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02930FEF
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0293000A
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02930FDE
.text C:\WINDOWS\System32\svchost.exe[964] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 02930FC3
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800FA1
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800FB2
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080008C
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AE0001
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0080005B
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F75
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008000BD
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800104
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000F3
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800F5A
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800F86
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800040
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008000E2
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FB9
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0040
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0025
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007F0F83
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 88]
.text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0F9E
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0047
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0036
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FC6
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FE3
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60F7C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60071
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60F97
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60FA8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60F50
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A60F61
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F2E
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600C7
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A600D8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A6004A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A6008C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A60F3F
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50F75
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50F86
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40027
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40F9C
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FD2
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FB7
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A40FE3
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02CE0001
.text C:\WINDOWS\system32\spoolsv.exe[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001
.text C:\WINDOWS\system32\Ati2evxx.exe[1348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D5000A
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50089
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50078
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D5005D
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01010001
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500A4
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F5C
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F26
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F37
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D500DA
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50F9E
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F79
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D500B5
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30FC0
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30F8A
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30FD1
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30047
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30FA5
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20077
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20066
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D2003A
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D2000C
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D2004B
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20029
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D40FE5
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[1700] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00830001
.text C:\WINDOWS\eHome\ehRecvr.exe[1776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009D0001
.text C:\WINDOWS\eHome\ehSched.exe[1792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CF0001
.text C:\Program Files\Windows Home Server\esClient.exe[1808] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001
.text ...
.text C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe[1956] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F61
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F72
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD008C
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD007B
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00DD
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00B8
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F50
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00A7
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F9B
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0027
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0016
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC1
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FB0
.text C:\WINDOWS\system32\svchost.exe[2080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\svchost.exe[2080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE007D
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE006C
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F50
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F6D
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F10
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00B3
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EFF
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE008E
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[2116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F35
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[2116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FB5
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD7
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FC6
.text C:\WINDOWS\system32\svchost.exe[2116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0082
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B8
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009D
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F33
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F44
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F22
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\dllhost.exe[2140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F55
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290033
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290022
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290011
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FBC
.text C:\WINDOWS\system32\dllhost.exe[2140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A007D
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0051
.text C:\WINDOWS\system32\dllhost.exe[2140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[2140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660000
.text C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02080001
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013E0F74
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013E005F
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013E0F91
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016C0001
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013E004E
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013E0033
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013E0F46
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013E0F63
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013E0F13
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013E0F24
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013E00C7
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013E0FAC
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013E0011
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013E0084
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013E0FD1
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013E0022
.text C:\WINDOWS\system32\svchost.exe[2248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013E0F35
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013D003D
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013D0F91
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013D002C
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013D0011
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013D0FAC
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013D0000
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 013D004E
.text C:\WINDOWS\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013D0FC7
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013C0FC6
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!system 77C293C7 5 Bytes JMP 013C0047
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013C001B
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013C0000
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013C002C
.text C:\WINDOWS\system32\svchost.exe[2248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013C0FE3
.text C:\WINDOWS\system32\svchost.exe[2248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013B0000
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2336] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2336] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Windows Home Server\WHSConnector.exe[2404] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2416] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2416] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2452] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\ehome\ehtray.exe[2632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\WINDOWS\ehome\ehtray.exe[2632] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jusched.exe[2676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001
.text C:\Program Files\Java\jre6\bin\jusched.exe[2676] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[2692] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[2692] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\iTunes\iTunesHelper.exe[2740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001
.text C:\Program Files\iTunes\iTunesHelper.exe[2740] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[2820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 008E0001
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[2820] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\Rundll32.exe[2852] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001
.text C:\WINDOWS\system32\Rundll32.exe[2852] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\Rundll32.exe[2864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001
.text C:\WINDOWS\system32\Rundll32.exe[2864] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\rundll32.exe[2872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001
.text C:\WINDOWS\system32\rundll32.exe[2872] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[2920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001
.text C:\WINDOWS\System32\alg.exe[2920] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\eHome\ehmsas.exe[3236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003D0001
.text C:\WINDOWS\eHome\ehmsas.exe[3236] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.31\MoeMonitor.exe[3284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.31\MoeMonitor.exe[3284] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[3464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001
.text C:\WINDOWS\system32\ctfmon.exe[3464] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\ehome\RMSvc.exe[3544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00940001
.text C:\WINDOWS\ehome\RMSvc.exe[3544] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0080
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F81
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C2
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F70
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F55
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0113
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0091
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00D3
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290073
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[3556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FB7
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0038
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FC8
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[3556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[3556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\Program Files\iPod\bin\iPodService.exe[4056] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 008D0001
.text C:\Program Files\iPod\bin\iPodService.exe[4056] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F5F
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F70
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F81
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0025
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0087
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0076
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F13
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F24
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EF8
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0065
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[4092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0098
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FAF
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[4092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0069
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A004E
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0033
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FDE
.text C:\WINDOWS\Explorer.EXE[4092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\Explorer.EXE[4092] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[4092] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[4092] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[4092] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 002C002C
.text C:\WINDOWS\Explorer.EXE[4092] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 01981102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\Explorer.EXE[4092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01AF000A
.text C:\Documents and Settings\Joe\Desktop\gmer\gmer.exe[4624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003D0001
.text C:\Documents and Settings\Joe\Desktop\gmer\gmer.exe[4624] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Mozilla Firefox\firefox.exe[4676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\Program Files\Mozilla Firefox\firefox.exe[4676] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text c:\WINDOWS\eHome\RMSysTry.exe[4868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A10001
.text c:\WINDOWS\eHome\RMSysTry.exe[4868] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wpabaln.exe[5168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\wpabaln.exe[5168] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\ehome\McrdSvc.exe[5352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007C0001
.text C:\WINDOWS\ehome\McrdSvc.exe[5352] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[5876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\WINDOWS\system32\wscntfy.exe[5876] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\dllhost.exe[2140] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3556] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[4092] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs ,
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

#14 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:22 PM

Posted 22 April 2009 - 12:08 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and unheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by rigel, 22 April 2009 - 12:09 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#15 chulomex3

chulomex3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 26 April 2009 - 10:43 PM

I ran it but I wasn't sure if I moved the files option so I ran it again. I have the first and second log files.

First time.


WHSConnector.msi\stream002;C:\Documents and Settings\Administrator\Desktop\Home Server Connector Software\WHSConnector.msi;Trojan.MSNSpy.origin;;
WHSConnector.msi;C:\Documents and Settings\Administrator\Desktop\Home Server Connector Software;Archive contains infected objects;Moved.;
WHSConnector.msi\stream002;C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Home Server\WHSConnector.msi;Trojan.MSNSpy.origin;;
WHSConnector.msi;C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Home Server;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Joe\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Joe\Desktop;Archive contains infected objects;Moved.;
restart.exe;C:\Documents and Settings\Joe\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0008739.msi\stream002;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP24\A0008739.msi;Trojan.MSNSpy.origin;;
A0008739.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP24;Archive contains infected objects;Moved.;
A0008740.msi\stream002;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP24\A0008740.msi;Trojan.MSNSpy.origin;;
A0008740.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP24;Archive contains infected objects;Moved.;
A0014563.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP60\A0014563.exe;Tool.Prockill;;
A0014563.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP60\A0014563.exe;Tool.ShutDown.14;;
A0014563.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP60;Archive contains infected objects;Moved.;
A0014573.msi\stream002;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP60\A0014573.msi;Trojan.MSNSpy.origin;;
A0014573.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP60;Archive contains infected objects;Moved.;
A0015979.msi\stream002;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72\A0015979.msi;Trojan.MSNSpy.origin;;
A0015979.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Archive contains infected objects;Moved.;
A0015980.msi\stream002;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72\A0015980.msi;Trojan.MSNSpy.origin;;
A0015980.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Archive contains infected objects;Moved.;
A0015981.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72\A0015981.exe;Tool.Prockill;;
A0015981.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Archive contains infected objects;Moved.;
13af6a0.msi\stream006;C:\WINDOWS\Installer\13af6a0.msi;Trojan.MSNSpy.origin;;
13af6a0.msi;C:\WINDOWS\Installer;Archive contains infected objects;Moved.;
How To Change Date Time.exe;D:\Desktop 08\NEW.Windows.Vista.x86.x64.Activation.Crack.6st.February - CLoNY;Trojan.DownLoader.49850;Deleted.;
A0015983.exe;D:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Trojan.DownLoader.49850;Deleted.;



Second time without reboot still in safe mode.

A0015982.msi\stream006;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72\A0015982.msi;Trojan.MSNSpy.origin;;
A0015982.msi;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Archive contains infected objects;Moved.;
A0015984.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Tool.ShutDown.14;Incurable.Moved.;
A0015985.exe;C:\System Volume Information\_restore{AA81EC57-D490-44DD-8502-FC74B8C9D871}\RP72;Tool.Prockill;Incurable.Moved.;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users