Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security 2010


  • This topic is locked This topic is locked
2 replies to this topic

#1 trout45

trout45

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 03 May 2010 - 01:08 PM

It came up yesterday afternoon and I thought I got rid of it but there are several processes still running in the Task Manager that never appeared before this virus hit. Malwarebytes comes up clean every time and rkill doesn't shut them down. Below is the DDS log and gmer log, attached is the DDS Attach file. This has been one of several malware attacks in the past six months, I have no idea what keeps causing them.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 10:13:34.40 on Mon 05/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1298 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\program files\itunes\itunesminiplayer.resources\ru.lproj\itunesminiplayerlocalizeditunesminiplayerlocalized.exe
C:\program files\quicktime\propertypanels\panelhelperbase.resources\nb.lproj\quicktimeresourcesquicktime.exe
C:\program files\adobe\acrobat 7.0\reader\plug_ins3d\hemispheredrvdx9.exe
C:\program files\common files\apple\mobile device support\bin\syncuicore.resources\de.lproj\mobilemesyncuicorelocalized.exe
C:\program files\adobe\acrobat 7.0\reader\plug_ins3d\hemispheredrvdx9.exe
C:\program files\common files\apple\mobile device support\bin\syncuicore.resources\de.lproj\mobilemesyncuicorelocalized.exe
C:\program files\alienguise\themes\alienware invader icon packager\invaderalienware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [razer] c:\program files\razer\razerhid.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [UpdateSAUpdate] c:\docume~1\matt\locals~1\temp\BCwW.exe
mRun: [iTunesiTunesMiniPlayerLocalized] c:\program files\itunes\itunesminiplayer.resources\ru.lproj\itunesminiplayerlocalizeditunesminiplayerlocalized.exe
mRun: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\panelhelperbase.resources\nb.lproj\quicktimeresourcesquicktime.exe
mRun: [tesselatedrvSOFT] c:\program files\adobe\acrobat 7.0\reader\plug_ins3d\hemispheredrvdx9.exe
mRun: [MobileMeSyncUICoreRessource] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\de.lproj\mobilemesyncuicorelocalized.exe
mRun: [securitycenterSAUpdate] c:\docume~1\matt\locals~1\temp\BCwW.exe
mRun: [drvDX8Right] c:\program files\adobe\acrobat 7.0\reader\plug_ins3d\hemispheredrvdx9.exe
mRun: [MobileMeSyncUICoreLocalized] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\de.lproj\mobilemesyncuicorelocalized.exe
mRun: [AlienwareInvader] c:\program files\alienguise\themes\alienware invader icon packager\invaderalienware.exe
mRunServices: [SUPERAntiSpywareApplication] c:\docume~1\matt\locals~1\temp\BCwW.exe
mRunServices: [AdobeAdobe3300] c:\program files\common files\adobe\calibration\gammagamma3300.exe
mRunServices: [InvaderAlienware] c:\program files\alienguise\themes\alienware invader icon packager\invaderalienware.exe
mRunServices: [ApplicationSAUpdate2.9.0.7] c:\docume~1\matt\locals~1\temp\BCwW.exe
mRunServices: [tesselatedrvDX9] c:\program files\adobe\acrobat 7.0\reader\plug_ins3d\hemispheredrvdx9.exe
mRunServices: [MobileMeSyncUICoreRessource] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\de.lproj\mobilemesyncuicorelocalized.exe
mRunServices: [AlienwareInvader] c:\program files\alienguise\themes\alienware invader icon packager\invaderalienware.exe
mRunServices: [iTunesiTunesMiniPlayerLocalized] c:\program files\itunes\itunesminiplayer.resources\ru.lproj\itunesminiplayerlocalizeditunesminiplayerlocalized.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\docume~1\matt\locals~1\temp\A.tmp
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\uqnwha0d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp
FF - plugin: c:\documents and settings\matt\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-7 342128]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 61440]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-4-9 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-4-9 144888]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-4-9 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-12-7 70216]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-16 1251720]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-7 91640]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-7 43288]
S1 SAVRT;SAVRT;\??\c:\program files\norton antivirus\savrt.sys --> c:\program files\norton antivirus\SAVRT.SYS [?]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton antivirus\savrtpel.sys --> c:\program files\norton antivirus\SAVRTPEL.SYS [?]
S2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" --> c:\program files\lavasoft\ad-aware 2007\aawservice.exe [?]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-4-23 32384]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-12-7 65224]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20091203.004\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20091203.004\NAVENG.Sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20091203.004\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20091203.004\NavEx15.Sys [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2006-7-12 13225]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 SAVScan;Symantec AVScan;"c:\program files\norton antivirus\savscan.exe" --> c:\program files\norton antivirus\SAVScan.exe [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-9-27 223128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-2-20 11520]
S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\samsung\samsung pc share manager\WiselinkPro.exe [2009-1-8 4136960]

=============== Created Last 30 ================

2010-04-24 20:57:31 0 d-----w- c:\windows\Performance
2010-04-23 16:21:39 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-23 16:21:39 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-23 16:21:38 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-23 16:21:38 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-23 16:21:36 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-23 16:21:23 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-23 14:02:20 12598 ----a-w- c:\windows\system32\wpa.bak
2010-04-23 13:24:58 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys
2010-04-23 12:23:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-23 12:21:52 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-04-23 12:21:51 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-04-23 12:21:50 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-04-23 12:13:33 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-23 11:49:59 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2010-04-23 11:48:57 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-04-23 11:47:59 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-04-23 11:47:35 0 d-----w- c:\program files\msn gaming zone
2010-04-23 11:45:28 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-04-23 11:45:19 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-04-23 11:45:19 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-04-23 11:45:19 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-04-23 11:45:19 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-04-23 11:45:19 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-04-23 11:44:57 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-04-23 11:32:03 28160 ----a-w- c:\windows\system32\irmon.dll
2010-04-23 11:32:03 151552 ----a-w- c:\windows\system32\irftp.exe
2010-04-23 11:32:02 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-04-23 11:09:23 16535 ----a-r- c:\windows\SET64.tmp
2010-04-23 11:09:20 1088840 ----a-r- c:\windows\SET58.tmp
2010-04-23 11:09:17 1296669 ----a-r- c:\windows\SET55.tmp
2010-04-22 18:33:46 16535 ----a-r- c:\windows\SET63.tmp
2010-04-22 18:33:43 1088840 ----a-r- c:\windows\SET57.tmp
2010-04-22 18:33:40 1296669 ----a-r- c:\windows\SET54.tmp
2010-04-22 15:53:40 4444 ----a-w- c:\windows\system32\pid.PNF
2010-04-22 15:37:59 522220 -c--a-w- c:\windows\system32\dllcache\NT5INF.CAT
2010-04-22 15:37:54 16535 ----a-r- c:\windows\SET118.tmp
2010-04-22 15:37:51 1088840 ----a-r- c:\windows\SET10C.tmp
2010-04-22 15:37:48 1296669 ----a-r- c:\windows\SET109.tmp
2010-04-21 14:29:47 10344 ----a-w- c:\windows\system32\drivers\symlcbrd.sys
2010-04-19 23:06:07 0 d-----w- C:\pajek
2010-04-09 04:39:20 0 d-----w- c:\docume~1\matt\applic~1\ManyCam
2010-04-09 04:29:20 0 d-----w- c:\docume~1\matt\applic~1\GetRightToGo
2010-04-07 10:04:08 21039 ----a-w- c:\windows\setupapi.old

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 11:43:42 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-12 22:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2010-01-28 14:45:34 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-12 22:11:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 10:14:44.09 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 14:06:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Matt\LOCALS~1\Temp\fxtdipog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xBA49F238]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xBA49F0F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xBA49F090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xBA49F0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xBA49F10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBA49F136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBA49F1A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBA49F18E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xBA49F1BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA49F278]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBA49F1E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xBA49F0E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xBA49F054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xBA49F068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBA49F24C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xBA49F222]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBA49F178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBA49F162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xBA49F120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xBA49F20E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xBA49F1FA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xBA49F0CE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBA49F0BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xBA49F14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBA49F2A7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xBA49F1D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA49F28E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA49F262]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80502244 7 Bytes JMP BA49F266 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP BA49F23C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP BA49F27C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP BA49F292 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP BA49F250 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP BA49F058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP BA49F06C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP BA49F0BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP BA49F0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP BA49F094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP BA49F0D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP BA49F2AB mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP BA49F166 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 2 Bytes JMP BA49F150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey + 3 806188B9 4 Bytes CALL 68F218F7
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP BA49F1D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP BA49F17C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP BA49F124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP BA49F0FA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP BA49F10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP BA49F13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP BA49F1A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP BA49F192 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP BA49F0E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP BA49F226 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP BA49F1FE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 8061C174 7 Bytes JMP BA49F1BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP BA49F212 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP BA49F1EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8FBBA80]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8A3E360, 0x221CED, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xBADCCC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E008E
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E007D
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E006C
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0FAF
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E002C
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E0F61
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E00A9
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F2B
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00CE
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E00DF
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0047
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E0F7E
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0FCA
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E001B
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E0F50
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\WINDOWS\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0F8D
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE000C
.text C:\WINDOWS\system32\services.exe[668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F63
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0058
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F7E
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F9B
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB6
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F1A
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F37
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0EF5
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA008E
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EDA
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F48
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B9006C
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9005B
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80FB0
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B8003B
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FC1
.text C:\WINDOWS\system32\lsass.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\lsass.exe[680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF007D
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00C1
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F79
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00F0
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F57
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF010B
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F68
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0080
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE006F
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0054
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FAB
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FBC
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD7
.text C:\WINDOWS\system32\svchost.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F8F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0084
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0073
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0FB6
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FD1
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00A9
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0F57
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00CE
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F35
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE0F10
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0058
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0F74
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE003D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE002C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE0F46
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD0025
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD0076
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD005B
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DD004A
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0FB9
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC002C
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0FA1
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0FBC
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04E50FEF
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04E5009D
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04E50F9E
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04E50FAF
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04E5006C
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04E50FDE
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04E500D5
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04E500B8
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04E50F50
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04E50F6B
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04E50104
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04E5005B
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04E50014
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04E50F8D
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04E5004A
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04E50025
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04E50F7C
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04E40FCA
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04E40F94
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04E40FDB
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04E4001B
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04E40051
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04E40000
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04E40040
.text C:\WINDOWS\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04E40FAF
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04E30031
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 04E30F9C
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04E30FC8
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04E30000
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04E30FAD
.text C:\WINDOWS\System32\svchost.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04E30FE3
.text C:\WINDOWS\System32\svchost.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04E20FEF
.text C:\WINDOWS\System32\svchost.exe[928] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04E10FE5
.text C:\WINDOWS\System32\svchost.exe[928] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04E10FCA
.text C:\WINDOWS\System32\svchost.exe[928] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04E10000
.text C:\WINDOWS\System32\svchost.exe[928] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 04E10011
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F88
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F99
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0073
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F5A
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B00A2
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F24
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00C7
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00D8
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0058
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F77
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0FDB
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0036
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F49
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FAF
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F72
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0F83
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790069
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!system 77C293C7 5 Bytes JMP 0079004E
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0079003D
.text C:\WINDOWS\system32\svchost.exe[1000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0073
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0F7E
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0058
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0047
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FC0
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C00BA
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00A9
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00E6
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00CB
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0101
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0FAF
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0014
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0098
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0036
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F4D
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0062
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F9B
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B003D
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B002C
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0033
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0022
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FBC
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F66
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F4B
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00BD
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00A2
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F09
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F83
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0076
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F79
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F94
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920042
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F68
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660040
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F26
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F4D
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660ED5
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660EF0
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660093
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00660078
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660FDE
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00660F15
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650028
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650FCD
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650F6B
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00650F86
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 88]
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640F7C
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640FA1
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FCD
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FBC
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014C0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014C004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014C0F63
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014C0F74
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014C0F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014C0FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014C0097
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014C007A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014C00B2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014C0F23
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014C0EFE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014C003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014C0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014C0069
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014C0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014C0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014C0F34
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014B0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014B0054
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014B0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014B0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014B0F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014B0FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6B, 89]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014B002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014A0038
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!system 77C293C7 5 Bytes JMP 014A0027
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014A0016
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014A0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014A0FB7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014A0FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01490000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E5006E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E5005D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E500B0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F68
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500E6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F4D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E500F7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50089
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E500C1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E4005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E4000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E4004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E4002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3005D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E3004C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30027
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E20000
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02600000
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02600F9E
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02600FAF
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0260007D
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0260006C
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02600FCA
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02600F6D
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026000BF
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026000FF
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02600F5C
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02600110
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0260005B
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0260001B
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026000AE
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02600FE5
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02600036
.text C:\WINDOWS\Explorer.EXE[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026000D0
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025F0011
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025F0F8A
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025F0FC0
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025F0FE5
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025F0047
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025F0000
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025F0FA5
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7F, 8A] {JG 0xffffffffffffff8c}
.text C:\WINDOWS\Explorer.EXE[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025F0022
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025E008B
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 025E0070
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025E003A
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025E0000
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025E005F
.text C:\WINDOWS\Explorer.EXE[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025E001D
.text C:\WINDOWS\Explorer.EXE[1988] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 021C0000
.text C:\WINDOWS\Explorer.EXE[1988] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 021C0011
.text C:\WINDOWS\Explorer.EXE[1988] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 021C0022
.text C:\WINDOWS\Explorer.EXE[1988] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 021C0033
.text C:\WINDOWS\Explorer.EXE[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025D0FEF
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F7C
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA007B
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F97
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0FA8
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0039
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0096
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F50
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA00A7
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0F0E
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA00C2
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA004A
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0014
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F61
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FC3
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FDE
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F33
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80044
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D80029
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\SearchIndexer.exe[2736] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A004C
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F57
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A003B
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F72
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0089
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0078
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00BF
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00DA
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0067
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[3268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A009A
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F83
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029002F
.text C:\WINDOWS\System32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F90
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FBC
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FAB
.text C:\WINDOWS\System32\svchost.exe[3268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[3268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\00000096 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\NvAta1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\0000008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x7E 0x0C 0x97 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x7E 0x0C 0x97 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0xA7 0x8D 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x42 0xAC 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x7E 0x0C 0x97 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0x7F 0x5A 0x71 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6ffbe0a
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0x7F 0x5A 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0x7F 0x5A 0x71 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\0010c6ffbe0a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x89 0x12 0x19 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x35 0x5C 0x85 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCA 0x77 0xA7 0x44 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2E 0x7F 0x5A 0x71 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x83 0xDC 0xA1 ...
Reg HKLM\SOFTWARE\Classes\.cs\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.rtf\PersistentHandler@ {2e2294a9-50d7-4fe7-a09f-e6492e185884}
Reg HKLM\SOFTWARE\Classes\.srf\PersistentHandler@ {eec97550-47a9-11cf-b952-00aa0051fe20}
Reg HKLM\SOFTWARE\Classes\.xslt\PersistentHandler@ {7E9D8D44-6926-426F-AA2B-217A819A5CCE}
Reg HKLM\SOFTWARE\Classes\htafile\CLSID@ {3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}
Reg HKLM\SOFTWARE\Classes\mapi\Shell@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by trout45, 03 May 2010 - 01:54 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:05 PM

Posted 05 May 2010 - 12:23 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:05 PM

Posted 10 May 2010 - 09:08 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users