Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 Saltier

Saltier

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 11 June 2010 - 12:45 PM

I think I have a web browser hijack. As Opera keeps being redirected off of google links. Any help much appreciated.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:45:16, on 11/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
G:\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Y'z Dock TaskBar\YzDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
G:\Opera\opera.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\mdm.exe
C:\Documents and Settings\Administrator\Desktop\HijackThisNEW.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - G:\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "G:\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [hp Update 2100C] J:\My Stuff\HP Scanner 2100C Driver\hpupdate.exe
O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: OUTLOOK.lnk = G:\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: YzDock.lnk = F:\Y'z Dock TaskBar\YzDock.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 7179 bytes

Edited by Saltier, 11 June 2010 - 04:05 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:46 PM

Posted 15 June 2010 - 10:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Saltier

Saltier
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 16 June 2010 - 06:00 AM

My webbrowser is being redirected straight from google links. Also there are some unsolicited popup windows.

EDIT: Oh I forgot I have removed java from my machine.

Please don't apologise for keeping me waiting. I do appreciate the fact you are giving your time and knowledge for free Thank you. thumbup.gif


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:05:05.54 on 16/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.462 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
G:\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\Y'z Dock TaskBar\YzDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
G:\Opera\opera.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - g:\flashfxp\IEFlash.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [OpAgent] "OpAgent.exe" /agent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Nitro PDF Printer Monitor] "g:\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [hp Update 2100C] j:\my stuff\hp scanner 2100c driver\hpupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outlook.lnk - g:\microsoft office\office\OUTLOOK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yzdock.lnk - f:\y'z dock taskbar\YzDock.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: Nitro PDF Professional - cscript //B "g:\nitro pdf\professional\RemoveOldAddins.vbs"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9lo5h5qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: g:\opera 10.01\program\plugins\np_gp.dll
FF - plugin: g:\opera 10.01\program\plugins\npdsplay.dll
FF - plugin: g:\opera 10.01\program\plugins\NPSWF32.dll
FF - plugin: g:\opera 10.01\program\plugins\npwmsdrm.dll
FF - plugin: g:\opera\program\plugins\np_gp.dll
FF - plugin: g:\opera\program\plugins\npdsplay.dll
FF - plugin: g:\opera\program\plugins\NPSWF32.dll
FF - plugin: g:\opera\program\plugins\npupd62.dll
FF - plugin: g:\opera\program\plugins\npupd62.dll
FF - plugin: g:\opera\program\plugins\npwmsdrm.dll
FF - plugin: g:\quicktime\plugins\npqtplugin.dll
FF - plugin: g:\quicktime\plugins\npqtplugin2.dll
FF - plugin: g:\quicktime\plugins\npqtplugin3.dll
FF - plugin: g:\quicktime\plugins\npqtplugin4.dll
FF - plugin: g:\quicktime\plugins\npqtplugin5.dll
FF - plugin: g:\quicktime\plugins\npqtplugin6.dll
FF - plugin: g:\quicktime\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
g:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2010-4-7 161060]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-22 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-22 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-22 40552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-22 34248]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-06-11 16:15:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-11 15:52:34 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-11 14:27:17 0 dc----w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-05 10:48:56 680 ----a-w- c:\windows\AUTOLNCH.REG
2010-06-05 10:45:39 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-06-05 10:45:39 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-06-05 10:45:38 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2010-06-05 10:45:38 83968 ----a-w- c:\windows\system32\hpgt21.dll
2010-06-05 10:45:38 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll
2010-06-05 10:45:38 32768 ----a-w- c:\windows\system32\hpgtmcro.dll
2010-06-05 10:45:38 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-06-05 10:45:38 123392 ----a-w- c:\windows\system32\hpgt21tk.dll
2010-06-05 10:45:37 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-05 10:45:37 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-05-31 15:39:03 54156 ---ha-w- c:\windows\QTFont.qfn
2010-05-31 15:39:03 1409 ----a-w- c:\windows\QTFont.for
2010-05-27 11:40:19 0 d-----w- c:\program files\Spell Check Anywhere
2010-05-23 23:18:30 0 d-----w- c:\docume~1\alluse~1\applic~1\MAGIX
2010-05-23 23:12:33 0 d-----w- c:\docume~1\admini~1\applic~1\MAGIX
2010-05-23 23:11:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Xara

==================== Find3M ====================

2010-06-12 14:47:59 2228 ----a-w- c:\windows\system32\dkfzip32.DAT
2010-05-27 11:43:48 286720 ----a-w- c:\windows\iun507.exe
2010-04-07 19:47:12 7168 ----a-w- C:\Age.exe
2010-03-18 22:21:56 269144 ----a-w- c:\windows\system32\vsjitdebugger.exe
2010-03-18 15:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 12:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 09:09:00 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-18 09:09:00 49488 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-18 09:09:00 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-03-18 09:09:00 295264 ----a-w- c:\windows\system32\PresentationHost.exe



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-16 10:18:43
Windows 5.1.2600 Service Pack 3
Running: fh0t5pjk.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT spcv.sys ZwCreateKey [0xF73DB0E0]
SSDT spcv.sys ZwEnumerateKey [0xF73F9CA4]
SSDT spcv.sys ZwEnumerateValueKey [0xF73FA032]
SSDT spcv.sys ZwOpenKey [0xF73DB0C0]
SSDT spcv.sys ZwQueryKey [0xF73FA10A]
SSDT spcv.sys ZwQueryValueKey [0xF73F9F8A]
SSDT spcv.sys ZwSetValueKey [0xF73FA19C]

INT 0x62 ? 8676CBF8
INT 0x63 ? 86549D68
INT 0x73 ? 86549D68
INT 0x82 ? 8676CBF8
INT 0xB4 ? 86549D68

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA64C78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA64C738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA64C74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA64C83B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA64C867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA64C7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA64C901]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA64C710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA64C724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA64C79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA64C8A9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA64C851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA64C929]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA64C915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA64C776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA64C762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA64C7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA64C8EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA64C7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA64C7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050222C 7 Bytes JMP AA64C7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E27C 5 Bytes JMP AA64C78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7480 7 Bytes JMP AA64C7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8296 5 Bytes JMP AA64C7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA08 7 Bytes JMP AA64C7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1296 5 Bytes JMP AA64C714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1522 5 Bytes JMP AA64C728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3D54 5 Bytes JMP AA64C766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C736A 7 Bytes JMP AA64C750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C7420 5 Bytes JMP AA64C73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C792A 5 Bytes JMP AA64C77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8C2A 5 Bytes JMP AA64C7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618B36 7 Bytes JMP AA64C8EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806193D4 7 Bytes JMP AA64C8AD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619CA8 7 Bytes JMP AA64C855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A716 7 Bytes JMP AA64C83F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A8E6 7 Bytes JMP AA64C86B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BC3E 5 Bytes JMP AA64C919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C332 5 Bytes JMP AA64C92D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C44C 5 Bytes JMP AA64C905 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spcv.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5A7E8AC 5 Bytes JMP 86549348
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF4C72000, 0x1B601E, 0xE8000020]
.text ah2t0p8a.SYS EB136386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ah2t0p8a.SYS EB1363AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ah2t0p8a.SYS EB1363C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ah2t0p8a.SYS EB1363C9 1 Byte [30]
.text ah2t0p8a.SYS EB1363C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xEB3D2194]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC00A7
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC008C
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC006F
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC004A
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F5F
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F70
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00C2
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F29
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BC0F0E
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BC0F8D
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\services.exe[932] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BC0F4E
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006004B
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060018
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[932] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010A0093
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010A0082
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010A0FA8
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010A005B
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010A002F
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010A00D5
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010A00BA
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A010B
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A00FA
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010A0F57
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 010A0040
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010A0FE5
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010A0F83
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010A0FD4
.text C:\WINDOWS\system32\lsass.exe[944] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010A0F72
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0109001E
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01090FA1
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01090FC3
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01090FD4
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01090FB2
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0109004A
.text C:\WINDOWS\system32\lsass.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01090039
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FBC
.text C:\WINDOWS\system32\lsass.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\lsass.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\lsass.exe[944] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02570000
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02570095
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0257007A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02570069
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0257004E
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02570FC7
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025700A6
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02570F5E
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02570F32
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025700CB
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02570F21
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02570FAC
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02570011
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02570F85
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02570033
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02570022
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02570F4D
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02560FC3
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02560F68
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02560014
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02560F8D
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02560FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02560FA8
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02550F7C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 02550011
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02550FC6
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02550FAB
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02550FE3
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02530FE5
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02530FD4
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02530FB9
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02530014
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02540000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F83
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0062
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0047
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F5C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC00A4
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00EB
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00DA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0106
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC0093
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC00BF
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FB006C
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FB0025
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FB005B
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FB0FC3
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA004E
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA0FDE
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0033
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02530000
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02530F81
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02530080
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02530065
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02530FA8
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02530FCA
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025300C7
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025300AC
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025300FD
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025300E2
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0253010E
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02530FB9
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0253001B
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02530091
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02530FDB
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0253002C
.text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02530F5A
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02520036
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0252006C
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02520FE5
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0252001B
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02520FAF
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02520000
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02520051
.text C:\WINDOWS\System32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02520FCA
.text C:\WINDOWS\System32\svchost.exe[1380] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01A5000A
.text C:\WINDOWS\System32\svchost.exe[1380] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 016B000A
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0251005D
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 02510038
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02510FD2
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02510FEF
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0251001D
.text C:\WINDOWS\System32\svchost.exe[1380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0251000C
.text C:\WINDOWS\System32\svchost.exe[1380] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 023F0000
.text C:\WINDOWS\System32\svchost.exe[1380] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 023F0FE5
.text C:\WINDOWS\System32\svchost.exe[1380] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 023F001B
.text C:\WINDOWS\System32\svchost.exe[1380] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 023F0FCA
.text C:\WINDOWS\System32\svchost.exe[1380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02400FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50082
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50071
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50056
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50F8D
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500AE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F66
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500EE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A500D3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A50F44
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A50093
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A50F55
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A40FDB
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A40F9B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A40036
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [C4, 88]
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30020
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30F95
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FC1
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FA6
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FD2
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40F79
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40FA5
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40062
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FCA
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D400A6
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40095
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40F2F
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D400C8
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D400E3
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D40011
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D40F5E
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D40FDB
.text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D400B7
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C5006C
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40042
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FB7
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FE3
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40FC8
.text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\system32\svchost.exe[1816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30000
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0143000A
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0143009D
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01430082
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01430071
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01430FA8
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01430040
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01430F72
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01430F83
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01430F4D
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014300E6
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01430F32
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01430FC3
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01430FEF
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 014300AE
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01430FD4
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01430025
.text C:\WINDOWS\Explorer.EXE[1848] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 014300CB
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E90036
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E90F83
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E9001B
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E90F9E
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E9000A
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E90FB9
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [09, 89]
.text C:\WINDOWS\Explorer.EXE[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80051
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80036
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80011
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80000
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FC6
.text C:\WINDOWS\Explorer.EXE[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FE3
.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E30000
.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E30025
.text C:\WINDOWS\Explorer.EXE[1848] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\Explorer.EXE[1848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1864] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 35720000
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 35720F74
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 35720069
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 3572004E
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 35720F91
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 35720022
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 35720F52
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 35720F63
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 35720F26
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 357200BF
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 35720F0B
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 35720033
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 35720011
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 3572008E
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 35720FB6
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 35720FD1
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 35720F41
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E0005D
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00038
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E0001D
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 35710025
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 35710051
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 35710FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 35710FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 35710040
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 35710000
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 35710F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [91, BD]
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 35710FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE0014
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE0FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DE0FC3
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F90
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0FA1
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0FB2
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0065
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FC3
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00B4
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F6E
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00CF
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F36
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001D00EA
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001D004A
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001D0FDE
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001D0F7F
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001D002F
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001D0014
.text C:\WINDOWS\System32\svchost.exe[2288] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001D0F51
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002C0036
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002C008E
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002C0025
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002C007D
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002C000A
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002C0062
.text C:\WINDOWS\System32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002C0047
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00410053
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00410042
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410FE3
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410000
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00410FD2
.text C:\WINDOWS\System32\svchost.exe[2288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0041001D
.text C:\WINDOWS\System32\svchost.exe[2288] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00790FEF
.text C:\WINDOWS\System32\svchost.exe[2288] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[2288] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0079001B
.text C:\WINDOWS\System32\svchost.exe[2288] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00790036
.text C:\WINDOWS\System32\svchost.exe[2288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90F6D
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90062
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90051
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F94
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90093
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F4B
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F04
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F15
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D900B8
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D90F5C
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[2724] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D90F26
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D80F9E
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D80014
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D80FD4
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D80F61
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00D80F72
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [F8, 88]
.text C:\WINDOWS\system32\svchost.exe[2724] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D80F83
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70F8B
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FA6
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FE3
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FC1
.text C:\WINDOWS\system32\svchost.exe[2724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7000C
.text C:\WINDOWS\system32\svchost.exe[2724] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[2724] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[2724] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[2724] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D60047

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73DC042] spcv.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73DC13E] spcv.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73DC0C0] spcv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73DC800] spcv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73DC6D6] spcv.sys
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ah2t0p8a.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73EBE9C] spcv.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8676B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 862C8500

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{1D28DCF8-5B33-4096-841B-3AB8270DE0C5} 86298500
Device \Driver\usbohci \Device\USBPDO-0 86578500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8676D1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8676D1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8676D1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8676D1F8
Device \Driver\usbohci \Device\USBPDO-1 86578500
Device \Driver\usbehci \Device\USBPDO-2 86575500

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 867DA1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 867DA1F8
Device \Driver\Cdrom \Device\CdRom0 864DB500
Device \Driver\Ftdisk \Device\HarddiskVolume3 867DA1F8
Device \Driver\Cdrom \Device\CdRom1 864DB500
Device \Driver\Ftdisk \Device\HarddiskVolume4 867DA1F8
Device \Driver\Cdrom \Device\CdRom2 864DB500
Device \Driver\nvatabus \Device\00000069 8676C1F8
Device \Driver\sptd \Device\4211485764 spcv.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 86298500
Device \Driver\PCI_PNP7014 \Device\0000004b spcv.sys
Device \Driver\PCI_PNP7014 \Device\0000004b spcv.sys
Device \Driver\NetBT \Device\NetbiosSmb 86298500

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\nvatabus \Device\0000006a 8676C1F8
Device \Driver\nvatabus \Device\0000006b 8676C1F8
Device \Driver\usbohci \Device\USBFDO-0 86578500
Device \Driver\usbohci \Device\USBFDO-1 86578500
Device \Driver\nvatabus \Device\NvAta0 8676C1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8636B500
Device \Driver\usbehci \Device\USBFDO-2 86575500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8636B500
Device \Driver\Ftdisk \Device\FtControl 867DA1F8
Device \Driver\ah2t0p8a \Device\Scsi\ah2t0p8a1 863BF500
Device \Driver\ah2t0p8a \Device\Scsi\ah2t0p8a1Port1Path0Target0Lun0 863BF500
Device \FileSystem\Fastfat \Fat 862C8500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 862B4500
Device -> \Driver\nvatabus \Device\Harddisk0\DR0 8602FEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xE6 0xF7 0x6A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0x50 0x42 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4F 0x57 0xB2 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xE6 0xF7 0x6A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0x50 0x42 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4F 0x57 0xB2 0xE2 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification
File C:\WINDOWS\system32\drivers\nvatabus.sys suspicious modification

---- EOF - GMER 1.0.15 ----


============= FINISH: 9:06:28.01 ===============

Attached Files


Edited by Saltier, 16 June 2010 - 06:02 AM.


#4 Saltier

Saltier
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 18 June 2010 - 12:26 PM

Please don't bother to go any further with this thread. I decided to do a clean install of windows.

I hope this will alleviate a bit, your logjam.

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:46 PM

Posted 19 June 2010 - 01:11 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users