Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think a backdoor trojan, help please!


  • This topic is locked This topic is locked
14 replies to this topic

#1 peter_08

peter_08

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 18 April 2009 - 05:43 AM

Hijack this report:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Peter at 11:35:47.14 on 18/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1789.732 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Postoffice\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Peter\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Power2GoExpress] NA
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UKPostoffice] "c:\program files\postoffice\\bin\sprtcmd.exe" /P UKPostoffice
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\users\peter\appdata\roaming\microsoft\windows\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238071465582&h=f362e003a9d44bf6e4b243d71159d000/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

============= SERVICES / DRIVERS ===============

R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2008-4-15 13312]
S3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2008-5-3 133504]

=============== Created Last 30 ================

2009-04-18 11:10 <DIR> --d----- C:\toolb
2009-04-17 16:39 790,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-17 16:39 10,340 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-17 16:18 <DIR> --d----- c:\programdata\ParetoLogic
2009-04-17 16:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-17 16:18 <DIR> --d----- c:\progra~2\ParetoLogic
2009-04-17 12:49 8,213 a------- c:\windows\system32\Config.MPF
2009-04-17 12:47 <DIR> --d----- c:\programdata\SiteAdvisor
2009-04-17 12:46 118 a------- c:\windows\system32\MRT.INI
2009-04-17 12:44 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-17 12:44 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-17 12:44 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-17 12:44 130,424 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-17 12:43 <DIR> --d----- c:\program files\common files\McAfee
2009-04-17 12:43 <DIR> --d----- c:\program files\McAfee.com
2009-04-17 12:43 <DIR> --d----- c:\program files\McAfee
2009-04-17 12:36 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-17 09:01 376,832 a------- c:\windows\system32\winhttp.dll
2009-04-17 09:01 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-04-17 09:01 38,912 a------- c:\windows\system32\xolehlp.dll
2009-04-17 09:01 551,424 a------- c:\windows\system32\rpcss.dll
2009-04-17 09:01 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-17 08:56 <DIR> --d----- c:\programdata\McAfee
2009-03-26 13:12 161,792 a------- c:\windows\SWREG.exe
2009-03-26 13:12 98,816 a------- c:\windows\sed.exe
2009-03-26 12:39 <DIR> --d----- c:\users\peter\appdata\roaming\Malwarebytes
2009-03-26 12:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 12:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 12:34 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-26 12:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 12:34 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-25 16:59 385,024 a------- c:\windows\system32\html.iec
2009-03-25 16:58 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-20 00:28 7,062 a------- c:\windows\system32\audiopid.vxd
2009-03-20 00:27 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-03-20 00:27 41,984 -------- c:\windows\Ctregrun.exe
2009-03-20 00:26 <DIR> --d----- c:\windows\CtDrvInstall
2009-03-20 00:23 306,688 a------- c:\windows\IsUninst.exe
2009-03-20 00:21 <DIR> --d----- c:\program files\Creative
2009-03-19 23:57 <DIR> --d----- c:\users\peter\Tracing
2009-03-19 23:55 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-19 23:40 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-26 13:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-20 00:32 51,200 a------- c:\windows\inf\infpub.dat
2009-03-20 00:32 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-20 00:32 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 12:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 12:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 12:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 12:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 12:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 12:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 12:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 12:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 12:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 12:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 12:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 12:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 12:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 12:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 12:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 12:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 12:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 12:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-03 05:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 05:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 04:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-13 09:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 09:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-09 04:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-04 06:00 274,432 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 06:00 11,264 a------- c:\windows\system32\atimuixx.dll
2009-02-04 05:07 51,712 a------- c:\windows\system32\amdpcom32.dll
2009-02-04 05:07 131,072 a------- c:\windows\system32\atiadlxx.dll
2009-02-04 04:01 57,344 a------- c:\windows\system32\aticalrt.dll
2009-02-04 04:01 53,248 a------- c:\windows\system32\aticalcl.dll
2009-02-04 03:58 3,252,224 a------- c:\windows\system32\aticaldd.dll
2008-07-14 13:54 500,601 a---h--- c:\users\peter\attachments_14_07_2008.zip
2008-06-12 10:45 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-25 14:17 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:36:46.93 ===============


Can also post combfix report if needed, can normally fix most things but not this. Internet sluggish My antivuris found 2 trojans but cant see to find the scan report to get the names of them.

Attached Files



BC AdBot (Login to Remove)

 


#2 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 19 April 2009 - 06:39 AM

Sorry forgot to add the download/upload is about half its normal, couldn't see an edit on my post so posting again not meaning to bum.

thanks.

#3 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 24 April 2009 - 06:53 AM

Anyone out there ?

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 03 May 2009 - 12:51 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 04 May 2009 - 06:10 AM

Hey, thanks for helping.

New set of logs:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Peter at 12:05:26.89 on 04/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1789.789 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Postoffice\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Peter\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Power2GoExpress] NA
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UKPostoffice] "c:\program files\postoffice\\bin\sprtcmd.exe" /P UKPostoffice
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\users\peter\appdata\roaming\microsoft\windows\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238071465582&h=f362e003a9d44bf6e4b243d71159d000/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

============= SERVICES / DRIVERS ===============

R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2008-4-15 13312]
S3 AF05BDA;AF9005 BDA Device;c:\windows\system32\drivers\AF05BDA.sys [2008-5-3 133504]

=============== Created Last 30 ================

2009-05-01 18:04 <DIR> --d----- c:\windows\system32\directx
2009-04-18 11:10 <DIR> --d----- C:\toolb
2009-04-17 16:39 790,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-17 16:39 10,340 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-17 16:18 <DIR> --d----- c:\programdata\ParetoLogic
2009-04-17 16:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-17 16:18 <DIR> --d----- c:\progra~2\ParetoLogic
2009-04-17 12:49 10,443 a------- c:\windows\system32\Config.MPF
2009-04-17 12:47 <DIR> --d----- c:\programdata\SiteAdvisor
2009-04-17 12:46 118 a------- c:\windows\system32\MRT.INI
2009-04-17 12:44 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-17 12:44 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-17 12:44 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-17 12:44 130,424 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-17 12:43 <DIR> --d----- c:\program files\common files\McAfee
2009-04-17 12:43 <DIR> --d----- c:\program files\McAfee.com
2009-04-17 12:43 <DIR> --d----- c:\program files\McAfee
2009-04-17 12:36 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-17 09:01 376,832 a------- c:\windows\system32\winhttp.dll
2009-04-17 09:01 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-04-17 09:01 38,912 a------- c:\windows\system32\xolehlp.dll
2009-04-17 09:01 551,424 a------- c:\windows\system32\rpcss.dll
2009-04-17 09:01 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-17 08:56 <DIR> --d----- c:\programdata\McAfee

==================== Find3M ====================

2009-03-26 13:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-20 00:32 51,200 a------- c:\windows\inf\infpub.dat
2009-03-20 00:32 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-20 00:32 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 12:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 12:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 12:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 12:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 12:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 12:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 12:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 12:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 12:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 12:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 12:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 12:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 12:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 12:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 12:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 12:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 12:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 12:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-03 05:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 05:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 04:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-13 09:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 09:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-09 04:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-04 06:00 274,432 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 06:00 11,264 a------- c:\windows\system32\atimuixx.dll
2009-02-04 05:07 51,712 a------- c:\windows\system32\amdpcom32.dll
2009-02-04 05:07 131,072 a------- c:\windows\system32\atiadlxx.dll
2009-02-04 04:01 57,344 a------- c:\windows\system32\aticalrt.dll
2009-02-04 04:01 53,248 a------- c:\windows\system32\aticalcl.dll
2009-02-04 03:58 3,252,224 a------- c:\windows\system32\aticaldd.dll
2008-07-14 13:54 500,601 a---h--- c:\users\peter\attachments_14_07_2008.zip
2008-06-12 10:45 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-25 14:17 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:06:42.22 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 04 May 2009 - 02:30 PM

Hello again.

Please answer this question.

If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

With Regards,
Extremeboy


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 04 May 2009 - 02:48 PM

Sluggish internet, poor upload/download speed compared to other laptop.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 04 May 2009 - 04:57 PM

Hello again.

Please run the following two tools.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
    Alternate Download Site 3
  • Unzip/extract the file to its own folder. Right-Click and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will now start extracting.
  • Once it is done, check (tick) the Show extracted files box and click Finish
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on gmer.exe and select Run as administrator to run it. It will start running a scan.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If you receive no notice, click on the Scan button near the bottom.

  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 05 May 2009 - 01:51 PM

Hi as requested:

Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 6.0.6001 Service Pack 1

05/05/2009 19:06:20
mbam-log-2009-05-05 (19-06-20).txt

Scan type: Quick Scan
Objects scanned: 69732
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HeroCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)


And....


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-05 19:48:23
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C6824FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C682498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C6824AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C68253C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C68257F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C682470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C682484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C682512]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C6825A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C682593]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C6824EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C6824D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C68256B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C682552]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C682528]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C6824C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 82081C26 5 Bytes JMP 8C68252C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 82217778 5 Bytes JMP 8C682474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 82224A49 5 Bytes JMP 8C682583 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8224B3DB 7 Bytes JMP 8C682516 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 822584A0 5 Bytes JMP 8C682556 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 82258829 7 Bytes JMP 8C682540 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 82263046 5 Bytes JMP 8C682502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 822638F4 5 Bytes JMP 8C6824DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 82267FA9 5 Bytes JMP 8C68256F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8226C271 5 Bytes JMP 8C682488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateUserProcess 8227A83B 5 Bytes JMP 8C6824C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 822981D0 5 Bytes JMP 8C682597 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8229921A 5 Bytes JMP 8C6825AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 822D7265 5 Bytes JMP 8C68249C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 822D72B0 7 Bytes JMP 8C6824B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 822D7D6F 5 Bytes JMP 8C6824EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[576] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 005A0098
.text C:\Windows\system32\services.exe[576] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 005A0087
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 005A00C4
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 005A00B3
.text C:\Windows\system32\services.exe[576] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 005A0F66
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 005A0FD4
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 005A0F77
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 005A0FB9
.text C:\Windows\system32\services.exe[576] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 005A005B
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 005A0F94
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 005A0040
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 005A006C
.text C:\Windows\system32\services.exe[576] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 005A00DF
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 005A0011
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 005A0000
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 005A0FE5
.text C:\Windows\system32\services.exe[576] kernel32.dll!WinExec 762154FF 5 Bytes JMP 005A0F41
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00990047
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00990FC0
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00990000
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00990FAF
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00990058
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00990011
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00990FDB
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 0099002C
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 0098002C
.text C:\Windows\system32\services.exe[576] msvcrt.dll!system 76EC8B63 5 Bytes JMP 0098001B
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00980FB5
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00980FE3
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 0098000A
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00980FD2
.text C:\Windows\system32\services.exe[576] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00550FEF
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00170F3C
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00170082
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 001700AE
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 0017009D
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00170F83
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00170FE5
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00170F94
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00170FB6
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00170F72
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00170FA5
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00170047
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00170F61
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00170F06
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 0017001B
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00170000
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00170036
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00170F21
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00CF0047
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00CF002C
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00CF0FE5
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00CF0FAF
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00CF0F8A
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00CF0011
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00CF0000
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00CF0FC0
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00180053
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00180038
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00180FC8
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00180000
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 0018001D
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00180FE3
.text C:\Windows\system32\lsass.exe[592] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 006F0F39
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 006F0089
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 006F0F1E
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 006F00B5
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 006F0F6F
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 006F0022
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 006F003D
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 006F0F9B
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 006F006E
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 006F0F80
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 006F0FB6
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 006F0F5E
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 006F0F03
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 006F0011
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 006F0000
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 006F0FDB
.text C:\Windows\system32\svchost.exe[784] kernel32.dll!WinExec 762154FF 5 Bytes JMP 006F009A
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 0082007A
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00820069
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00820029
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00820000
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00820044
.text C:\Windows\system32\svchost.exe[784] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00820FEF
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00830043
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00830FBC
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00830FEF
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00830FA1
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00830054
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00830FDE
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00830014
.text C:\Windows\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00830FCD
.text C:\Windows\system32\svchost.exe[784] WS2_32.dll!socket 75C636D1 5 Bytes JMP 006E0000
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 006F00D8
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 006F00C7
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 006F0104
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 006F00F3
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 006F006C
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 006F0FDB
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 006F005B
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 006F0FB9
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 006F0091
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 006F0FA8
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 006F0FCA
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 006F00A2
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 006F0115
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 006F001B
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 006F0000
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 006F0036
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!WinExec 762154FF 5 Bytes JMP 006F0F77
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00700044
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00700033
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00700018
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00700FEF
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00700FCD
.text C:\Windows\system32\svchost.exe[844] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00700FDE
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00790FCD
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00790FDE
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00790FEF
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00790065
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00790FBC
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00790025
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00790014
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00790040
.text C:\Windows\system32\svchost.exe[844] WS2_32.dll!socket 75C636D1 5 Bytes JMP 006E0FE5
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00AC0F30
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00AC0080
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00AC0F04
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00AC009B
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00AC0F81
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00AC0FD4
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00AC005B
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00AC0FA8
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00AC0F70
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00AC004A
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00AC0FC3
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00AC0F55
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00AC00B6
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00AC0FEF
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00AC000A
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00AC0025
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00AC0F1F
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00AD0042
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00AD0031
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00AD000C
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00AD0FEF
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00AD0FC1
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00AD0FD2
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00B20062
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00B2002C
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00B20000
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00B20047
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00B20073
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00B2001B
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00B20FE5
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00B20FC0
.text C:\Windows\System32\svchost.exe[936] WS2_32.dll!socket 75C636D1 5 Bytes JMP 008D0FE5
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00F30F70
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00F30F81
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00F300EC
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00F30F5F
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00F30FB7
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00F30FD4
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00F30091
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00F3005B
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00F30F9C
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00F30080
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00F3004A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00F300AC
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00F30F3A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00F3000A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00F30FEF
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00F30025
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00F300D1
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00F40049
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00F40038
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00F40FD9
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00F40000
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00F40FC8
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00F40011
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00F50F8D
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00F50FC3
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00F50FE5
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00F50FB2
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00F50F7C
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00F50FD4
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00F5000A
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00F5002F
.text C:\Windows\System32\svchost.exe[996] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00EC0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1008] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1008] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 015100A9
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 01510F63
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 01510F2D
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 015100C4
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 01510FA3
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 01510047
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 01510FC0
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 01510FDB
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 0151008E
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 0151007D
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 01510062
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 01510F7E
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 015100DF
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 0151001B
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 0151000A
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 01510036
.text C:\Windows\system32\svchost.exe[1012] kernel32.dll!WinExec 762154FF 5 Bytes JMP 01510F48
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 01520066
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!system 76EC8B63 5 Bytes JMP 01520055
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 01520029
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 01520FEF
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 0152003A
.text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 0152000C
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 015B0F9E
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 015B0FB9
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 015B000A
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 015B0040
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 015B0051
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 015B0FD4
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 015B0FE5
.text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 015B0025
.text C:\Windows\system32\svchost.exe[1012] WS2_32.dll!socket 75C636D1 5 Bytes JMP 01500000
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 0009007B
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 0009006A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 000900C2
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 000900A7
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00090F6B
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00090FB9
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00090039
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00090F8D
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00090F50
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00090F7C
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00090F9E
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00090F3F
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00090F1A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00090FDE
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00090FEF
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 0009000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!WinExec 762154FF 5 Bytes JMP 0009008C
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 007C0073
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!system 76EC8B63 5 Bytes JMP 007C0FDE
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 007C0044
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 007C000C
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 007C0FEF
.text C:\Windows\system32\svchost.exe[1152] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 007C001D
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 007D0051
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 007D001B
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 007D0FE5
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 007D0036
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 007D0076
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 007D0FCA
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 007D0000
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 007D0FAF
.text C:\Windows\system32\svchost.exe[1152] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00A30F1F
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00A30F30
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00A300A2
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00A30091
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00A30F66
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00A30FCA
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00A3004A
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00A30F9E
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00A3005B
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00A30F8D
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00A30FB9
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00A30F4B
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00A30EF0
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00A3001B
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00A30080
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00AE0FC3
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00AE0044
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00AE0022
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00AE0000
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00AE0033
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00AE0011
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00F20FA5
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00F20047
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00F20000
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00F20FC0
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00F20F94
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00F20022
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00F20011
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00F20FDB
.text C:\Windows\system32\svchost.exe[1220] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00310FEF
.text C:\Windows\system32\svchost.exe[1220] WinInet.dll!InternetOpenA 7710B2D5 5 Bytes JMP 00EC0FEF
.text C:\Windows\system32\svchost.exe[1220] WinInet.dll!InternetOpenW 7710B92E 5 Bytes JMP 00EC0014
.text C:\Windows\system32\svchost.exe[1220] WinInet.dll!InternetOpenUrlA 7710DEF0 5 Bytes JMP 00EC002F
.text C:\Windows\system32\svchost.exe[1220] WinInet.dll!InternetOpenUrlW 77157347 5 Bytes JMP 00EC0FD4
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 009700B6
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 009700A5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 009700DB
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00970F4E
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00970F8B
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00970FD4
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00970F9C
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00970040
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00970F7A
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00970065
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00970FC3
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00970094
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00970F33
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00970011
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00970000
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00970FE5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00970F5F
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00980044
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00980033
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00980FC3
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00980018
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00980FDE
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 0099006C
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00990FCA
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 0099005B
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00990087
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00990025
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00990FEF
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00990036
.text C:\Windows\system32\svchost.exe[1436] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 006C00A2
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 006C0F66
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 006C0F30
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 006C0F41
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 006C0FA3
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 006C0047
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 006C007D
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 006C006C
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 006C0F88
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 006C0FCA
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 006C0FDB
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 006C0F77
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 006C00E2
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 006C001B
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 006C000A
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 006C0036
.text C:\Windows\system32\svchost.exe[1664] kernel32.dll!WinExec 762154FF 5 Bytes JMP 006C00BD
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 006D0044
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!system 76EC8B63 5 Bytes JMP 006D0FB9
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 006D0029
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 006D0FEF
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 006D0FD4
.text C:\Windows\system32\svchost.exe[1664] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 006D0018
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 006E0051
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 006E0036
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 006E0000
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 006E0FAF
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 006E0F94
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 006E001B
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 006E0FE5
.text C:\Windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 006E0FCA
.text C:\Windows\system32\svchost.exe[1664] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00630000
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 000100C6
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00010F80
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 000100E1
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00010F4A
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00010086
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 0001002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00010FAC
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00010058
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00010F9B
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00010069
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 0001003D
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 000100AB
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00010F39
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00010FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00010000
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 0001001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00010F65
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 0004002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00040FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00040F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00040047
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00040FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00040011
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00040FB6
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!DialogBoxIndirectParamW 762CBD25 5 Bytes JMP 6E1EE021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!CreateWindowExW 762D3D67 5 Bytes JMP 6E0D4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!DialogBoxParamW 762E1FD5 5 Bytes JMP 6DFF9315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!DialogBoxParamA 763080B2 5 Bytes JMP 6E1EDFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!DialogBoxIndirectParamA 763083DD 5 Bytes JMP 6E1EE084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!MessageBoxIndirectA 7631D471 5 Bytes JMP 6E1EDF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!MessageBoxIndirectW 7631D56B 5 Bytes JMP 6E1EDEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!MessageBoxExA 7631D5D1 5 Bytes JMP 6E1EDE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] USER32.dll!MessageBoxExW 7631D5F5 5 Bytes JMP 6E1EDE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 0005003D
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00050FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 0005002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00050000
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00050FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00050011
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] WININET.dll!InternetOpenA 7710B2D5 5 Bytes JMP 002B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] WININET.dll!InternetOpenW 7710B92E 5 Bytes JMP 002B0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] WININET.dll!InternetOpenUrlA 7710DEF0 5 Bytes JMP 002B001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] WININET.dll!InternetOpenUrlW 77157347 5 Bytes JMP 002B002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1908] ws2_32.dll!socket 75C636D1 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00900F32
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00900082
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00900F17
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 009000AE
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 0090004C
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00900FA8
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00900F72
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 0090002F
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 0090005D
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00900F8D
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00900014
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00900F57
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 009000BF
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00900FCA
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00900FE5
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00900FB9
.text C:\Windows\system32\svchost.exe[2028] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00900093
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00910044
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00910FB9
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00910029
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00910000
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00910FD4
.text C:\Windows\system32\svchost.exe[2028] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00920084
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00920073
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 0092009F
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00920036
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[2028] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00920051
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 001E0F15
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 001E005B
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 001E0080
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 001E0EE9
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 001E0040
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 001E001B
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 001E0F66
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 001E0F9E
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 001E0F4B
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 001E0F8D
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 001E0FAF
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 001E0F30
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 001E0ECE
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 001E000A
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 001E0FEF
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 001E0FCA
.text C:\Windows\System32\svchost.exe[2052] kernel32.dll!WinExec 762154FF 5 Bytes JMP 001E0F04
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 001F0F92
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!system 76EC8B63 5 Bytes JMP 001F001D
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 001F000C
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 001F0FE3
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 001F0FB7
.text C:\Windows\System32\svchost.exe[2052] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 001F0FD2
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00710FD1
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00710058
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00710000
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00710073
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00710FC0
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00710036
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 0071001B
.text C:\Windows\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00710047
.text C:\Windows\System32\svchost.exe[2052] WS2_32.dll!socket 75C636D1 5 Bytes JMP 001D000A
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00640F54
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 006400A4
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00640F0D
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00640F1E
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00640089
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00640FCA
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00640078
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00640FAF
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00640F8A
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00640051
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00640036
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00640F79
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00640EFC
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 0064000A
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00640FE5
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 0064001B
.text C:\Windows\System32\svchost.exe[2080] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00640F39
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00650F92
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00650027
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00650FC1
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00650FEF
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00650016
.text C:\Windows\System32\svchost.exe[2080] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00650FD2
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00660FB9
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00660036
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 0066000A
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00660051
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00660076
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00660FE5
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 0066001B
.text C:\Windows\System32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00660FD4
.text C:\Windows\System32\svchost.exe[2080] WS2_32.dll!socket 75C636D1 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 0026005D
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00260F17
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00260EF5
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00260F06
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00260F4D
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00260FA5
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00260F5E
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00260F8A
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00260038
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00260F6F
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00260011
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00260F28
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 002600A7
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00260000
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00260FE5
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00260FC0
.text C:\Windows\system32\svchost.exe[2128] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00260082
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00710F92
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00710FAD
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00710FD9
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00710000
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00710FBE
.text C:\Windows\system32\svchost.exe[2128] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 0071001D
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00720058
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00720FDB
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00720000
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00720FC0
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00720069
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 0072002C
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00720011
.text C:\Windows\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00720047
.text C:\Windows\system32\svchost.exe[2128] WS2_32.dll!socket 75C636D1 5 Bytes JMP 000F000A
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 00A500B8
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00A50F68
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00A500DD
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00A50F46
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00A50089
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00A50040
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00A5006C
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00A5005B
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00A50F94
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00A50FB9
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00A50FDE
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00A50F79
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 00A50F2B
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00A50025
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00A5000A
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00A50FEF
.text C:\Windows\system32\svchost.exe[2248] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00A50F57
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00AE004E
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00AE003D
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00AE0FD7
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00AE0000
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00AE002C
.text C:\Windows\system32\svchost.exe[2248] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00AE0011
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00F00F7C
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00F00F9E
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00F00FEF
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00F00F8D
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00F00043
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00F00FCA
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00F00000
.text C:\Windows\system32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00F00FB9
.text C:\Windows\system32\svchost.exe[2248] WS2_32.dll!socket 75C636D1 5 Bytes JMP 0089000A
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 000500BD
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 000500A2
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 000500FD
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 000500E2
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00050F81
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00050036
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00050F9E
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00050FCA
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00050076
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00050FB9
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 0005005B
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00050087
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 0005010E
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00050025
.text C:\Windows\System32\svchost.exe[2396] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00050F5C
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00060F9A
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00060FAB
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00060011
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 00060FE3
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00060FBC
.text C:\Windows\System32\svchost.exe[2396] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 00070047
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00070014
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00070FDE
.text C:\Windows\System32\svchost.exe[2396] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00070FB9
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 03160F59
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 031600A9
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 03160F23
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 031600BA
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 03160F88
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 03160FCA
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 0316006C
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 0316004A
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 0316007D
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 0316005B
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 03160FB9
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 0316008E
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 031600D5
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 0316000A
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 03160FEF
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 0316001B
.text C:\Windows\Explorer.EXE[3232] kernel32.dll!WinExec 762154FF 5 Bytes JMP 03160F48
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 03270F9B
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 0327002C
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 03270000
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 03270047
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 03270058
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 0327001B
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 03270FE5
.text C:\Windows\Explorer.EXE[3232] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 03270FCA
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 03250049
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!system 76EC8B63 5 Bytes JMP 0325002E
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 0325000C
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 03250FEF
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 0325001D
.text C:\Windows\Explorer.EXE[3232] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 03250FDE
.text C:\Windows\Explorer.EXE[3232] WS2_32.dll!socket 75C636D1 5 Bytes JMP 03110FEF
.text C:\Windows\Explorer.EXE[3232] WININET.dll!InternetOpenA 7710B2D5 5 Bytes JMP 03260FE5
.text C:\Windows\Explorer.EXE[3232] WININET.dll!InternetOpenW 7710B92E 5 Bytes JMP 03260000
.text C:\Windows\Explorer.EXE[3232] WININET.dll!InternetOpenUrlA 7710DEF0 5 Bytes JMP 0326001B
.text C:\Windows\Explorer.EXE[3232] WININET.dll!InternetOpenUrlW 77157347 5 Bytes JMP 03260FD4
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3628] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 0064EBE0 C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!GetStartupInfoW 76181929 5 Bytes JMP 0001009E
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!GetStartupInfoA 761819C9 5 Bytes JMP 00010079
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateProcessW 76181C01 5 Bytes JMP 00010F11
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateProcessA 76181C36 5 Bytes JMP 00010F2C
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!VirtualProtect 76181DD1 5 Bytes JMP 00010F7A
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateNamedPipeW 76185C44 5 Bytes JMP 00010FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!LoadLibraryExW 761A30C3 5 Bytes JMP 00010054
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!LoadLibraryW 761A361F 5 Bytes JMP 00010032
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!VirtualProtectEx 761A8D7E 5 Bytes JMP 00010F5F
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!LoadLibraryExA 761A9469 5 Bytes JMP 00010043
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!LoadLibraryA 761A9491 5 Bytes JMP 00010FA1
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreatePipe 761B0284 5 Bytes JMP 00010F4E
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!GetProcAddress 761CB8B6 5 Bytes JMP 000100C3
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateFileW 761CCC4E 5 Bytes JMP 00010FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateFileA 761CCF71 5 Bytes JMP 00010FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!CreateNamedPipeA 7621430E 5 Bytes JMP 00010FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] kernel32.dll!WinExec 762154FF 5 Bytes JMP 00010F3D
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegCreateKeyExA 776EB5E7 5 Bytes JMP 00040062
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegCreateKeyA 776EB8AE 5 Bytes JMP 00040036
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegOpenKeyA 776F0BF5 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegCreateKeyW 776FB83D 5 Bytes JMP 00040047
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegCreateKeyExW 776FBCE1 5 Bytes JMP 0004007D
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegOpenKeyExA 776FD4E8 5 Bytes JMP 00040FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegOpenKeyW 77703CB0 5 Bytes JMP 00040011
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ADVAPI32.dll!RegOpenKeyExW 7770F09D 5 Bytes JMP 00040FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!SetWindowsHookExW 762C7B69 5 Bytes JMP 6E0CDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!CallNextHookEx 762C8C33 5 Bytes JMP 6E0CDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!DialogBoxIndirectParamW 762CBD25 5 Bytes JMP 6E1EE021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!CreateWindowExW 762D3D67 5 Bytes JMP 6E0D4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!DialogBoxParamW 762E1FD5 5 Bytes JMP 6DFF9315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!UnhookWindowsHookEx 762F08BE 5 Bytes JMP 6E031CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!DialogBoxParamA 763080B2 5 Bytes JMP 6E1EDFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!DialogBoxIndirectParamA 763083DD 5 Bytes JMP 6E1EE084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!MessageBoxIndirectA 7631D471 5 Bytes JMP 6E1EDF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!MessageBoxIndirectW 7631D56B 5 Bytes JMP 6E1EDEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!MessageBoxExA 7631D5D1 5 Bytes JMP 6E1EDE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] USER32.dll!MessageBoxExW 7631D5F5 5 Bytes JMP 6E1EDE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!_wsystem 76EC8A47 5 Bytes JMP 00050FBE
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!system 76EC8B63 5 Bytes JMP 00050FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!_creat 76ECC6F1 5 Bytes JMP 00050038
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!_open 76ECDA7E 5 Bytes JMP 0005000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!_wcreat 76ECDC9E 5 Bytes JMP 00050049
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] msvcrt.dll!_wopen 76ECDE79 5 Bytes JMP 0005001D
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ole32.dll!CoCreateInstance 75DAE188 5 Bytes JMP 6E0D488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] WININET.dll!InternetOpenA 7710B2D5 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] WININET.dll!InternetOpenW 7710B92E 5 Bytes JMP 00DE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] WININET.dll!InternetOpenUrlA 7710DEF0 5 Bytes JMP 00DE0025
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] WININET.dll!InternetOpenUrlW 77157347 5 Bytes JMP 00DE0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4220] ws2_32.dll!socket 75C636D1 5 Bytes JMP 00E20FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74497BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744D98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7449D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7448F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74497599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7448E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744CB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7449D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7449012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74490095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744871F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7451D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744B75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7448DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7448668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744866BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3232] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74491E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3924] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 05 May 2009 - 03:34 PM

Hello.

You had a part of a rootkit in your registry. Your computer may have be compromised before. Let me know what you decide to do.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan. Your comptuer may have been compromised before.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 05 May 2009 - 04:00 PM

I have not accessed e-mail or banking from this computer.

Is it safe to copy music files and normal docs accross to a external harddrive ?

If so wil do so and re-install... Thx for the info.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 05 May 2009 - 04:35 PM

Hello.

Yes, it's possible. Here are some guidelines.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

If you are going to use an external hard-drive it would be a good idea if you can run this tool before hand.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

You will need to format, not reinstall but I think I know what you mean. :thumbup2:

Good luck!

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 peter_08

peter_08
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 06 May 2009 - 04:21 AM

Cool,

Well thx for all your help, I think re-formatting is a job for the weekend!

Peter

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 07 May 2009 - 02:49 PM

Good luck.

Below are some prevention tips. Hope it may help you.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 07 May 2009 - 02:51 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users