Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit / hack of my computer [Moved]


  • Please log in to reply
12 replies to this topic

#1 Han Su

Han Su

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 04 July 2009 - 08:19 AM

My computer seems to be running pretty fine, I'm fairly careful about what I do, have VirusScan Enterprise 8.5 from work and Malwarebytes run on a regular basis. Lately I've been reading my VirusScan logs and it's just been getting some funny readings. In particular a file alled OYZGZP.exe is running from my local settings temp folder and trying to access smss.exe

When I go to look in the temp folder, there's no such file. As a precaution I've trashed the TEMP folder in safe mode, ran malwarebytes with 0 things found, ran superantispyware with 54 items but they were all tracking cookies. Anyone have any ideas?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:29 AM

Posted 04 July 2009 - 12:16 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 04 July 2009 - 06:49 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Han Su

Han Su
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 05 July 2009 - 10:29 AM

SmitFraudFix v2.423

Scan done at 11:26:47.73, Sun 07/05/2009
Run from C:\Documents and Settings\Han and Steph\My Documents\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\sttray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Han and Steph\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Documents and Settings\Han and Steph\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Han and Steph\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Documents and Settings\Han and Steph\My Documents\Downloads\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Han and Steph


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HANAND~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Han and Steph\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HANAND~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{35A5C636-3A5B-4BB0-AB6A-A175C8491FD6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{35A5C636-3A5B-4BB0-AB6A-A175C8491FD6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{35A5C636-3A5B-4BB0-AB6A-A175C8491FD6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 05 July 2009 - 04:57 PM

Our next step...

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 Han Su

Han Su
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 06 July 2009 - 09:31 AM

Thanks so much for your assistance so far. RootRepeal and this computer do not play nice. Everytime I try to run it, it BSODs my computer, talking about how it's trying to access the page file. It does it in safe mode as well. I've tried your suggestion to change the disk access as well.

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 06 July 2009 - 03:10 PM

Let's try an alternate - GMER

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Han Su

Han Su
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 06 July 2009 - 04:20 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 19:30:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA7F0D22B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA7F0D1AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7F0D255]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA7F0D1BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA7F0D1EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA7F0D27F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA7F0D197]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA7F0D23F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA7F0D1D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA7F0D201]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA7F0D217]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA7F0D295]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA7F0D269]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A7F0D26D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A7F0D22F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A7F0D283 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A7F0D299 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A7F0D243 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A7F0D259 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A7F0D21B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP A7F0D205 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP A7F0D1D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP A7F0D1AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP A7F0D1C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP A7F0D1EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP A7F0D19B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A100B5
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1009A
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1007D
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A1004E
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A100D2
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F8A
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10112
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F6F
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F54
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10FD1
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F9B
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A1003D
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A100ED
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F8D
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A0004A
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A00039
.text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FB2
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0044
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F000C
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\system32\svchost.exe[188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F001D
.text C:\WINDOWS\system32\svchost.exe[188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022F0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 022F008D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 022F007C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 022F005F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 022F0FA2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 022F003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022F00B9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022F009E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 022F0F2A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022F0F3B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022F00DE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 022F004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 022F0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 022F0F7D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 022F0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 022F0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022F0F56
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 022E0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 022E0076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 022E002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 022E001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 022E0FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 022E000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 022E0051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 022E0FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01840081
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!system 77C293C7 5 Bytes JMP 0184005C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0184003A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01840000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0184004B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01840029
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01830FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] WinInet.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 017D0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] WinInet.dll!InternetOpenW 3D95DB39 5 Bytes JMP 017D0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] WinInet.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 017D0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[352] WinInet.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 017D0025
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF008E
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF007D
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FA3
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF006C
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F61
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00A9
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00FA
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00DF
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F46
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F88
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00CE
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660014
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FDE
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650070
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004B
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0065003A
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0065001D
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00630FCD
.text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00630014
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01DB0FEF
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01DB008C
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01DB0071
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01DB004A
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01DB0F8D
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01DB0F9E
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01DB00B8
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01DB00A7
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01DB0F55
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01DB00E4
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01DB0F3A
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01DB0025
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01DB0FD4
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01DB0F7C
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01DB0FAF
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01DB000A
.text C:\WINDOWS\Explorer.EXE[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01DB00D3
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80062
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F8001B
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80051
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F80040
.text C:\WINDOWS\Explorer.EXE[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FAF
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20FBE
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20049
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D2002E
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20000
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20FD9
.text C:\WINDOWS\Explorer.EXE[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D2001D
.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00CF001B
.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\Explorer.EXE[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F5F
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F70
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D8004A
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80F8D
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FC3
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F4E
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80096
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80F2C
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800BB
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80F07
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D8006F
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\services.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F3D
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D7003D
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70FBD
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D7002C
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70070
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D7005F
.text C:\WINDOWS\system32\services.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60053
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60042
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D6001D
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60FD2
.text C:\WINDOWS\system32\services.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60FE3
.text C:\WINDOWS\system32\services.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F4B
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F5C
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F79
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C7006C
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C7005B
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F09
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70098
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700C7
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F30
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FDB
.text C:\WINDOWS\system32\lsass.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C7007D
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60076
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60065
.text C:\WINDOWS\system32\lsass.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C6004A
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50050
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50FCF
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C5002E
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C5003F
.text C:\WINDOWS\system32\lsass.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C5001D
.text C:\WINDOWS\system32\lsass.exe[1548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF007B
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0060
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0039
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0F7C
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00B1
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F6B
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F18
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F29
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00CC
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF001E
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0096
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F44
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0053
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FC8
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD001D
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD002E
.text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90065
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F70
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90039
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FB2
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90080
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F44
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90EE7
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F02
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90ED6
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F97
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90F55
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FC3
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F27
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80073
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80051
.text C:\WINDOWS\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70055
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70044
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70029
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[1792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028B0FEF
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028B005B
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028B004A
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028B0F70
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028B0F8D
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028B0FB2
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028B00A7
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028B0F55
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028B0F0E
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028B0F29
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 028B00C2
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 028B002F
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 028B0FDE
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 028B0076
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 028B0FC3
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 028B0014
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 028B0F3A
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 018E0011
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 018E0044
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 018E0FCA
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 018E0FDB
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 018E0033
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 018E0000
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 018E0022
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 018E0FA5
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018D0084
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!system 77C293C7 5 Bytes JMP 018D0FEF
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018D003A
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018D0000
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018D0055
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018D0029
.text C:\WINDOWS\System32\svchost.exe[1832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 018C000A
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 018B0000
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 018B001B
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 018B002C
.text C:\WINDOWS\System32\svchost.exe[1832] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 018B0FE5
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F5E
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F6F
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650F8A
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F9B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F30
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F41
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500BF
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500AE
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F0B
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650014
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650078
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650093
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F6F
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640036
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00640025
.text C:\WINDOWS\system32\svchost.exe[1900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640F9E
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FAD
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FC8
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630038
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FD9
.text C:\WINDOWS\system32\svchost.exe[1900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063001D
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800FB7
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008000AC
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800091
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800080
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0080005B
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F95
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800FA6
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800113
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000F8
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00800124
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008000C7
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F7A
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F002F
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0080
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F001E
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F006F
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F004A
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FCD
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FBE
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0049
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FE3
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0038
.text C:\WINDOWS\system32\svchost.exe[1960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0073
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F88
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0062
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F46
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F57
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1A
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EEE
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A008E
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[2812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F35
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA1
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FD4
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FB2
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029002F
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0078
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0053
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0042
.text C:\WINDOWS\System32\svchost.exe[2812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[2812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A008E
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007D
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A006C
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0051
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00BA
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E6
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0101
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00A9
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00CB
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290062
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290051
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290036
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FAF
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E005D
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E001D
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0042
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F80
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0075
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0F9B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00A1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0090
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00E8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE00CD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE0103
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0FB6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0F65
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE00BC
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD007A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD0069
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DD004E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD003D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC000C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FB7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0F9C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[940] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00F62BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[940] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00F62CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[940] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00F62CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Edited by Han Su, 06 July 2009 - 06:32 PM.


#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 06 July 2009 - 07:39 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 Han Su

Han Su
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 06 July 2009 - 08:31 PM

SDFix: Version 1.240
Run by Han and Steph on Mon 07/06/2009 at 21:03

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 21:24:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Han and Steph\\Local Settings\\Temp\\InStream20080915\\InStream.app\\InStream.exe"="C:\\Documents and Settings\\Han and Steph\\Local Settings\\Temp\\InStream20080915\\InStream.app\\InStream.exe:*:Enabled:InStream.app/InStream"

Remaining Files :



Files with Hidden Attributes :

Wed 25 Mar 2009 786,432 A..H. --- "C:\Documents and Settings\Administrator\NTUSER.bak"
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 26 Feb 2009 1,024 ...HR --- "C:\WINDOWS\system32\NTSHDW3.dll"
Tue 12 May 2009 10,053,112 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Tue 24 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 4 Mar 2009 262,144 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"

Finished!

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 06 July 2009 - 08:55 PM

I can find nothing else wrong with your computer. How are things working now?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 Han Su

Han Su
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 07 July 2009 - 08:46 PM

My question is what was wrong in the first place. I never noticed any sort of slow down or performance issues, just weird things being caught by McAfee in the access protection settings I setup. It's been pretty clean so far, no other weird issues happening since we've done all the work.

Thank you for all your help. I really do appreciate it.

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:29 AM

Posted 07 July 2009 - 10:27 PM

I'm not sure caused mcAfee to alert you.

Let finalize everything

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users